Entity Types Overview
The Aerospace Safety Solution RTM model organizes work items into four functional categories:| Category | Entity Types | Purpose |
|---|---|---|
| Requirements | CustomerRequirement, SystemRequirement, SubsystemRequirement, DesignRequirement | V-model left-side decomposition from stakeholder needs to design specifications |
| System Decomposition | SystemElement, Function, Characteristic | Physical architecture, functional allocation, and design attributes |
| Safety Analysis | FailureMode, FailureCondition, RiskControl, SecurityThreat, Hazard | FHA, FMEA, and security assessment entities |
| Verification | TestCase, ConfigurationItem, ComplianceObjective, ComplianceRequirement | Right-side validation/verification and compliance tracking |
Requirements Decomposition Chain
The V-model requirements flow follows a strict four-level decomposition hierarchy:CustomerRequirement
Internal Type ID:customerRequirementSpace: Requirements
Classification: SC (Safety Critical) or CC (Certification Critical)
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., CUST-001) |
| Title | String | — | Requirement statement from customer specification |
| Description | Text | — | Detailed requirement text and rationale |
| Classification | Enum | — | SC (Safety Critical) or CC (Certification Critical) |
| Module | Reference | CUSTOMER-REQS | Fixed to customer requirements document |
| Verified By | Link | — | TestCase items that validate this requirement (right-side of V-model) |
- Must reside in CUSTOMER-REQS module
- Constrained to top-level customer specification documents
- Classification is mandatory for requirements traceability
- Cannot be directly implemented — must be refined into SystemRequirements
SystemRequirement
Internal Type ID:sysReqSpace: Requirements
Classification: SC or CC
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., SR-001) |
| Title | String | — | System-level requirement statement |
| Description | Text | — | Detailed specification and design intent |
| Classification | Enum | — | SC (Safety Critical) or CC (Certification Critical) |
| Refines | Link | — | Parent CustomerRequirement(s) |
| Refined By | Link | — | Child SubsystemRequirement(s) or DesignRequirement(s) |
| Verified By | Link | — | TestCase items in SystemReqsVerification module |
- Constrained to systemRequirementsSpecification document type
- Must reference a parent CustomerRequirement via ‘refines’ link role
- Classification cascades from parent customer requirement
- Forms the middle tier of the V-model decomposition
SubsystemRequirement
Internal Type ID:sysReq (same as SystemRequirement)Space: Requirements
Classification: SC or CC
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., SUBSR-SUB-001) |
| Title | String | — | Subsystem-level requirement statement |
| Description | Text | — | Specification for a specific subsystem or LRU |
| Classification | Enum | — | SC or CC |
| Subsystem Context | Reference | — | SystemElement (subsystem) this requirement applies to |
| Refines | Link | — | Parent SystemRequirement |
| Refined By | Link | — | Child DesignRequirement(s) |
| Verified By | Link | — | TestCase items in SubsystemReqsVerification module |
- Constrained to subsystemRequirementsSpecification document type
- Document must be linked to a SystemElement (subsystem) via systemElementId
- Context-aware pick lists filter parent SystemRequirements by subsystem
- Enables multi-level decomposition for complex systems
DesignRequirement
Internal Type ID:desReqSpace: Design
Classification: SC or CC
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., DR-CMP-001) |
| Title | String | — | Low-level design requirement or specification |
| Description | Text | — | Detailed design specification |
| SubType | Enum | — | system / software / hardware — filters DO-178C (SW) vs DO-254 (HW) views |
| Classification | Enum | — | SC or CC |
| Environmental Category | Enum | — | DO-160G environmental qualification category (e.g., Cat-3A, Cat-3C) |
| Component Context | Reference | — | SystemElement (component) this requirement applies to |
| Refines | Link | — | Parent SystemRequirement or SubsystemRequirement |
| Refined By | Link | — | Child Characteristic(s) |
| Verified By | Link | — | TestCase items in DesignReqsVerification module |
- Constrained to designRequirementsSpecification document type
- SubType determines regulatory domain: software → DO-178C, hardware → DO-254
- Context-aware pick lists filter parent requirements by component
- Environmental category links to DO-160G qualification matrix
Characteristic
Internal Type ID:characteristicSpace: Design
Classification: SC or CC
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., CHAR-CMP-001) |
| Title | String | — | Design characteristic (e.g., operating temperature range) |
| Characteristic Type | Enum | — | Environmental / Electrical / Mechanical / Thermal / Performance |
| Target Value | String | — | Specification value or range (e.g., -40°C to +85°C) |
| Tolerance | String | — | Acceptable tolerance band |
| Unit | String | — | Measurement unit (e.g., °C, volts, ohms) |
| Classification | Enum | — | SC or CC — carries forward from parent DesignRequirement |
| Environmental Category | Enum | — | DO-160G category for environmental characteristics |
| Assessed By | Link | — | FailureMode items in DFMEA analysis |
- Constrained to characteristicsSpecification document type
- Classification and environmental category inherited from parent DesignRequirement
- Bridge between design specifications and DFMEA failure analysis
- Used in DO-160G Environmental Qualification PowerSheet
System Decomposition Entities
SystemElement
Internal Type ID:systemElementSpace: Design
Classification: DAL (Design Assurance Level: A, B, C, D, E)
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., FCC, FCC-1, FCC-1-1) |
| Title | String | — | System/subsystem/component name (e.g., Flight Control Computer) |
| Element Type | Enum | — | System / Subsystem / Component / LRU / Module |
| Design Assurance Level (DAL) | Enum | — | A (most critical) to E (least critical) per ARP 4754A |
| Parent | Link | — | Parent SystemElement (for subsystems/components) |
| Outline Number | String | — | Hierarchical numbering (e.g., 1.2.3) for document outline |
| Functions | Link | — | Function items allocated to this element |
| Failure Conditions | Link | — | FailureCondition items assessed against this element |
| Security Threats | Link | — | SecurityThreat items affecting this element |
- Element Type determines decomposition level: System → Subsystem → Component → LRU
- DAL classification flows from FHA (FailureCondition) severity assessment
- Parent link enforces hierarchy: no circular dependencies, no orphaned branches
- Outline number auto-increments based on parent-child relationships
Function
Internal Type ID:functionSpace: Design
Classification: None (inherits DAL from allocated SystemElement)
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., FUNC-001) |
| Title | String | — | Function description (e.g., “Provide flight control outputs”) |
| Description | Text | — | Functional specification and operational context |
| Allocated To | Link | — | SystemElement(s) this function is allocated to |
| Failure Modes | Link | — | FailureMode items in SFMEA analysis (causes) |
| Failure Conditions | Link | — | FailureCondition items in FHA analysis (assessed via this function) |
- Central to ARP 4761 safety assessment — every failure mode must trace to a function
- Functions must be allocated to at least one SystemElement
- No function can exist without allocation
- Used as the bridge between system decomposition and SFMEA/FHA
Safety Analysis Entities
FailureMode
Internal Type ID:failureModeSpace: Risks
Classification: Severity, Occurrence, Detection (pre/post mitigation)
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., FM-001) |
| Title | String | — | Failure mode description (e.g., “Loss of output signal”) |
| Description | Text | — | Detailed failure mechanism |
| Function | Link | — | Function this failure mode affects (SFMEA) or Characteristic (DFMEA) |
| Failure Mechanism | String | — | Root cause or mechanism of failure |
| Severity (S) | Enum | Pre-mitigation | Catastrophic / Hazardous / Major / Minor / No Effect |
| Occurrence (O) | Enum | Pre-mitigation | 5 (5+ per 10^5 hrs) to 1 (< 1 per 10^5 hrs) |
| Detection (D) | Enum | Pre-mitigation | 5 (not detected) to 1 (always detected) |
| RPN (Risk Priority Number) | Calculated | S × O × D | Severity × Occurrence × Detection |
| Causes | Text | — | Known or potential root causes |
| Current Controls | Text | — | Existing design features or tests |
| Mitigated By | Link | — | RiskControl(s) that reduce this failure mode’s severity/occurrence |
| Causes Failure Condition | Link | — | FailureCondition(s) this mode contributes to (FHA linkage) |
- Severity must be assigned (no default to Major)
- Occurrence and Detection assessed both pre- and post-mitigation
- RPN = S × O × D (calculated, not manually entered)
- Every failure mode must link to at least one Function or Characteristic
FailureCondition
Internal Type ID:failureConditionSpace: Risks
Classification: Severity, Flight Phase, Probability Target
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., FC-001) |
| Title | String | — | Failure condition description (e.g., “Complete loss of flight control”) |
| Description | Text | — | Detailed failure condition and operational impact |
| Classification | Enum | — | Catastrophic / Hazardous / Major / Minor / No Safety Effect (ARP 4761) |
| Flight Phase | Enum | — | Ground / Takeoff / Climb / Cruise / Descent / Landing |
| Affects System Element | Link | — | SystemElement(s) this failure condition impacts |
| Affects Function | Link | — | Function(s) this failure condition impacts |
| Contributing Failure Modes | Link | — | FailureMode(s) that can cause this condition (reverse of ‘causeOf’) |
| DAL Allocation | Enum | — | A to E — allocated DAL for mitigating safety requirements |
| Probability Target (P) | String | — | Probability of occurrence target per flight hour or operation (e.g., < 1×10⁻⁹ per flight hour) |
| Mitigated By | Link | — | SafetyRequirement(s) and RiskControl(s) that mitigate this condition |
- Classification is mandatory (no unclassified failure conditions)
- Must specify a flight phase (operational context for failure probability)
- DAL allocation flows from classification severity
- FHA → PSSA → SSA traceability: FHA identifies conditions, PSSA allocates SAF reqs, SSA verifies evidence
RiskControl
Internal Type ID:riskControlSpace: Risks
Classification: RiskControlType (InherentSafety, Protective, InfoForSafety)
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., RC-001) |
| Title | String | — | Risk control description |
| Description | Text | — | Control strategy and implementation approach |
| Risk Control Type | Enum (multi-select) | — | InherentSafety (eliminate hazard) / Protective (mitigate hazard) / InfoForSafety (inform user) — per ARP 4761 §5.5 |
| Implements | Link | — | SafetyRequirement(s) and/or DesignRequirement(s) implementing this control |
| Mitigates | Link | — | FailureMode(s) and/or FailureCondition(s) controlled by this action |
| Verification Method | Enum | — | Analysis / Test / Inspection / Demonstration |
| Verification Evidence | Reference | — | Test case, report, or analysis document demonstrating control effectiveness |
| Effectiveness Rating | Enum | — | High / Medium / Low — subjective assessment |
- At least one RiskControlType must be selected
- Multi-select allows combination (e.g., both InherentSafety and Protective)
- Must mitigate at least one FailureMode or FailureCondition
- Must implement at least one Requirement or be a design feature
SecurityThreat
Internal Type ID:securityThreatSpace: Security (DO-326A)
Classification: SAL (Security Assurance Level)
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., ST-001) |
| Title | String | — | Security threat description (e.g., “Unauthorized code injection”) |
| Description | Text | — | Threat scenario and attack vector |
| Affects System Element | Link | — | SystemElement(s) vulnerable to this threat |
| SAL (Security Assurance Level) | Enum | — | SAL-I (lowest) to SAL-V (highest) per DO-326A |
| Probability | Enum | — | High / Medium / Low — likelihood of exploitation |
| Impact | Enum | — | Critical / Major / Moderate — consequence if exploited |
| Mitigated By | Link | — | RiskControl(s) and SecurityRequirement(s) |
- Constrained to Security Assessment and CCA (Common Cause Analysis) documents
- SAL allocation independent of DAL but often correlated with failure criticality
- Used in security threat assessment and DO-326A compliance tracking
Verification Entities
TestCase
Internal Type ID:testCaseSpace: Testing
Classification: Method (Test, Analysis, Inspection, Demonstration)
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier with prefix (e.g., VER-SR-001, VAL-REQ-001) |
| Prefix Convention | String | — | VER- (verification, right-side V-model) or VAL- (validation, system-level) |
| Title | String | — | Test case description |
| Expected Results | Text | — | Pass/fail criteria |
| Test Method | Enum | — | Test / Analysis / Inspection / Demonstration |
| Environmental Category | Enum | — | DO-160G environmental qualification context (if applicable) |
| Validates | Link | — | CustomerRequirement(s) (system-level validation) |
| Verifies | Link | — | SystemRequirement / SubsystemRequirement / DesignRequirement(s) |
| Test Level | Enum | — | System / Subsystem / Design — matches requirement level |
| Execution Status | Enum | — | Not Started / In Progress / Passed / Failed |
- Prefix VER- for verification tests, VAL- for validation tests
- Constrained to Testing space documents (SystemReqsVerification, SubsystemReqsVerification, DesignReqsVerification, ValidationTests)
- Test case automatically created when requirement is added (via entityFactory)
- Test Level must match the requirement level being verified (system req → system test)
ConfigurationItem
Internal Type ID:configurationItemSpace: Configuration (SCM)
Classification: Status (Draft, Approved, Rejected, Baselined)
| Property | Type | Default | Description |
|---|---|---|---|
| ID | String | Auto-generated | Unique identifier (e.g., CI-001) |
| Title | String | — | Configuration item name (document, component, software unit) |
| CI Type | Enum | — | Document / Software / Hardware / Interface |
| Status | Enum | — | Draft / In Review / Approved / Rejected / Baselined |
| Version | String | — | Version identifier (e.g., 1.0, 1.1, 2.0) |
| Baseline Date | Date | — | Date when CI was baselined |
| Change History | Link | — | Related Change Request(s) and Problem Report(s) |
- Uses built-in Polarion workitem fields for basic tracking
- Linked to SystemElement(s) via configuration management hierarchy
- Status transitions follow document workflow (Draft → Review → Approved → Baselined)
Relationships and Traceability Links
The RTM domain model defines 18 link roles connecting the entity types:V-Model Decomposition (Left Side)
| Link Role | Source | Target | Cardinality | Purpose |
|---|---|---|---|---|
| refines | CustomerRequirement | SystemRequirement | 1:N | V-model decomposition |
| refines | SystemRequirement | SubsystemRequirement | 1:N | Subsystem-level decomposition |
| refines | SystemRequirement | DesignRequirement | 1:N | Direct to design (single-level systems) |
| refines | SubsystemRequirement | DesignRequirement | 1:N | Subsystem to design decomposition |
| refines | DesignRequirement | Characteristic | 1:N | Characteristics implement design reqs |
Verification Chain (Right Side)
| Link Role | Source | Target | Cardinality | Purpose |
|---|---|---|---|---|
| validates | TestCase | CustomerRequirement | N:M | System-level validation (system testing) |
| verifies | TestCase | SystemRequirement | N:M | System verification testing |
| verifies | TestCase | SubsystemRequirement | N:M | Subsystem verification testing |
| verifies | TestCase | DesignRequirement | N:M | Design verification testing |
Safety Assessment Links
| Link Role | Source | Target | Cardinality | Purpose |
|---|---|---|---|---|
| allocatedTo | Function | SystemElement | N:M | Functions allocated to system elements |
| assesses | FailureCondition | Function | N:M | FHA assesses system functions |
| assesses | FailureCondition | SystemElement | N:M | FHA assesses system elements |
| causeOf | FailureMode | FailureCondition | N:M | FMEA → FHA linkage (failure modes cause conditions) |
| assessedBy | Characteristic | FailureMode | N:M | DFMEA assesses design characteristics |
| mitigates | RiskControl | FailureMode | N:M | Risk controls reduce failure mode severity |
| mitigates | RiskControl | FailureCondition | N:M | Risk controls mitigate failure conditions |
| implements | RiskControl | DesignRequirement | N:M | Risk controls implement safety requirements |
System Decomposition
| Link Role | Source | Target | Cardinality | Purpose |
|---|---|---|---|---|
| parent | SystemElement | SystemElement | 1:N | Hierarchical system decomposition (System → Subsystem → Component) |
PowerSheet Views and RTM Navigation
The RTM domain model is explored via four primary PowerSheet configurations:Whole RTM (Complete Traceability Matrix)
Shows the full four-level requirements chain with verification test cases:
- 4 color-coded column groups with collapsible headers
- SC/CC classification renderer
- Summary view (hides descriptions for dashboard overview)
- Without Verification view (hides test case columns)
Component RTM (Scoped View)
Document-scoped traceability showing SubsystemRequirements and their Design Requirements:
- Uses
applyCurrentDocumentToconstraint to show only current document’s requirements - Two column groups: Parent requirements (back-link) and Children (forward expand)
DO-160G Environmental Qualification
Maps Design Requirements to environmental specifications and qualification tests: DesignReq (with envCategory) → Characteristic → TestCase (qualification test) Features:- 3 column groups: Design Requirements, Environmental Specifications, Qualification Tests
- envCategory formatter displays DO-160G section codes
- By DO-160G Section view groups results by environmental category
Design Verification Sheet
Maps Design Requirements to verification test cases: DesignReq → TestCase (in DesignReqsVerification module) Features:- entityFactory enables test case creation directly in the PowerSheet
- Scoped to Testing/DesignReqsVerification document
Document Organization by System Level
The RTM model constrains documents to specific system decomposition levels, enabling proper separation of concerns:| System Level | Requirements Space | Design Space | Risk Analysis Space | Testing Space |
|---|---|---|---|---|
| System | SRS (System Reqs Spec) | Functions Spec | FHA, PSSA, SSA, System SFMEA, FTA, CCA | SystemReqsVerification, ValidationTests |
| Subsystem | SUBRS (Subsystem Reqs Spec) | Subsystem Functions, Subsystem Characteristics | Subsystem SFMEA | SubsystemReqsVerification |
| Component | — | DRS (Design Reqs Spec), Component Characteristics | DFMEA | DesignReqsVerification |
The complete RTM domain model runtime behavior (cascading DAL/classification updates, automatic test case creation, and cross-document constraint enforcement) should be verified in the live Aerospace Safety Solution application. Thin source coverage available for this reference page — consult project configuration files and the Data Model wiki page in Polarion for complete schema details.
Key Constraints and Rules
Classification Cascade
- CustomerRequirement SC/CC → propagates to all refined SystemRequirements
- SystemRequirement SC/CC → propagates to all refined DesignRequirements
- DesignRequirement SC/CC → flows to Characteristic(s)
- FailureCondition Severity → allocates DAL to mitigating SafetyRequirement(s)
No Orphaned Items
- Every DesignRequirement must refine a parent requirement (no unparented design reqs)
- Every TestCase must verify or validate a requirement (no test cases without traceability)
- Every FailureMode must link to a Function or Characteristic (no floating failure modes)
- Every Function must allocate to a SystemElement (no unallocated functions)
Environment and Context Awareness
- DesignRequirement subType (software/hardware) determines regulatory domain (DO-178C vs DO-254)
- Environmental Category filters DO-160G qualification matrix views
- Flight Phase context in FailureConditions drives operational risk assessment
- SystemElement DAL allocation determines verification method rigor
Source References (dev)
Source References (dev)
Code:
.polarion/pages/spaces/_default/Data Model/page.xml (0.59) · .polarion/nextedy/models/rtm.yaml (0.53) · .polarion/nextedy/sheet-configurations/Whole RTM Config.yaml (0.44) · .polarion/nextedy/sheet-configurations/DO-160G Environmental Qualification.yaml, Component RTM.yaml, Configuration Index.yaml, Design Verification Sheet.yaml, Interface Control Matrix.yaml, Problem Report Tracker.yaml, Process Steps.yaml, Review Action Item Tracker.yaml, SOI Stage Gate Dashboard.yaml, Use Steps Specification.yaml, User Need Validation Sheet.yaml, characteristics.yaml, component-characteristics.yaml, customer-requirements.yaml, design-requirements.yaml, subsystem-functions.yaml, subsystem-verification.yaml, system-elements.yaml, test-verification.yaml (0.38)