Home|← Back to Evidence

Demonstrated Traceability

Document ID: VDC-RTM-001Version: 1.0Date: February 1, 2026Effective Date: February 1, 2026Status: Approved

1. Purpose

This Requirements Traceability Matrix (RTM) provides complete bidirectional traceability between:

  • User Requirements (URS) → Business and regulatory needs
  • Functional Specification (FS) → Technical design and implementation
  • Test Cases (IQ/OQ/PQ) → Verification and validation evidence

The RTM ensures every requirement is implemented, tested, and validated, demonstrating compliance with GxP, CSV, and 21 CFR Part 11.

2. Traceability Summary

31
Total Requirements
31
Verified
25
Critical Priority
100%
Test Coverage

3. Traceability Matrix

Showing 31 of 31 requirements
Req IDCategoryRequirementFS SectionTest Case(s)StatusPriority
URS-001SubmissionAllow authorized Submitters to upload documents3.2, 4.1 (upload-init)PQ-001, PQ-002VerifiedCritical
URS-002SubmissionGenerate unique document ID for each upload4.1 (submit), 5.1OQ-010, PQ-003VerifiedCritical
URS-003SubmissionCalculate and store SHA-256 hash for integrity4.1 (submit), 7.3OQ-011, PQ-015VerifiedCritical
URS-004SubmissionRecord submission timestamp in ISO 8601 (UTC)4.1 (submit), 5.1OQ-012, PQ-004VerifiedCritical
URS-005SubmissionStore documents in encrypted storage (S3 SSE)2.2, 5.3, 6.1IQ-005, OQ-020VerifiedCritical
URS-010ApprovalAllow Approvers to view pending approval requests3.2, 4.1 (approvals-pending)PQ-005, PQ-006VerifiedCritical
URS-011ApprovalDisplay document metadata (ID, filename, submitter, date, hash)4.1 (documents-list), 5.1OQ-013, PQ-007VerifiedCritical
URS-012ApprovalAllow Approvers to download and review documents4.1 (download)PQ-008, PQ-009VerifiedCritical
URS-013ApprovalProvide Approve and Reject actions4.1 (approve, reject)PQ-010, PQ-011VerifiedCritical
URS-014ApprovalRequire MFA-authenticated session for approval3.3, 4.2OQ-002, PQ-012VerifiedCritical
URS-020SecurityAuthenticate users via Cognito with MFA2.2, 3.3IQ-002, OQ-001, OQ-002VerifiedCritical
URS-021SecurityEnforce role-based access control (Submitter, Approver)4.2, 6.2OQ-003, PQ-013, PQ-014VerifiedCritical
URS-022SecurityPrevent Submitters from approving own documents6.2OQ-004, PQ-014VerifiedCritical
URS-023SecurityEncrypt data in transit (TLS 1.2+) and at rest (AES-256)2.2, 6.1IQ-003, IQ-005, OQ-020VerifiedCritical
URS-030AuditCreate audit records for all document submissions7.1, 7.2OQ-014, PQ-016VerifiedCritical
URS-031AuditCreate audit records for approval/rejection actions7.1, 7.2OQ-015, PQ-017VerifiedCritical
URS-032AuditAudit records include: user, action, timestamp, outcome, docID5.2, 7.1OQ-016, PQ-018VerifiedCritical
URS-033AuditAudit records are immutable (no delete/update)5.2, 6.3, 7.1IQ-006, OQ-017VerifiedCritical
URS-034AuditProvide audit trail retrieval for inspection4.1 (document-audit), 7.2OQ-018, PQ-019VerifiedCritical
URS-040Data IntegrityAttributable: Actions linked to authenticated user3.3, 7.1, 7.3OQ-019, PQ-020VerifiedCritical
URS-041Data IntegrityLegible: Records human-readable in UTF-85.1, 5.2, 7.3OQ-021, PQ-021VerifiedCritical
URS-042Data IntegrityContemporaneous: Timestamps at time of action5.1, 5.2, 7.3OQ-012, PQ-022VerifiedCritical
URS-043Data IntegrityOriginal: Documents stored in original format5.3, 7.3OQ-022, PQ-023VerifiedCritical
URS-044Data IntegrityAccurate: SHA-256 hashes verify integrity4.1, 7.3OQ-011, PQ-015, PQ-024VerifiedCritical
URS-050PerformanceDocument upload completes within 30s for 10MB filesSection 9PQ-030VerifiedHigh
URS-051PerformanceApproval list loads within 3 secondsSection 9PQ-031VerifiedHigh
URS-052PerformanceSupport 100 concurrent usersSection 9PQ-032VerifiedHigh
URS-060AvailabilityMaintain 99.5% uptime during business hoursSection 9PQ-040VerifiedHigh
URS-061AvailabilityProvide graceful error messages for failures4.3OQ-030, PQ-041VerifiedMedium
URS-070BackupDaily backups with 30-day retentionSection 8IQ-010, OQ-040VerifiedHigh
URS-071BackupAudit logs retained for minimum 7 yearsSection 9IQ-011, OQ-041VerifiedCritical

4. Test Case Reference

Complete test execution results are documented in IQ/OQ/PQ Results.

4.1 Test Case Categories

Test Type
Prefix
Purpose
Examples
Installation Qualification
IQ-###
Verify AWS resources deployed correctly
IQ-002 (Cognito), IQ-005 (S3 encryption)
Operational Qualification
OQ-###
Test individual Lambda functions and APIs
OQ-010 (submit), OQ-014 (audit logs)
Performance Qualification
PQ-###
End-to-end workflow validation
PQ-001 (upload), PQ-010 (approve)

5. Bidirectional Traceability

5.1 Forward Traceability

URS → FS → Test Cases

Every user requirement traces forward through design to verification:

URS-003
Calculate SHA-256 hash
FS 4.1, 7.3
Submit Lambda calculates hash
OQ-011, PQ-015
Tests verify hash calculation

5.2 Backward Traceability

Test Cases → FS → URS

Every test case traces backward to verify a specific requirement:

PQ-012
Test MFA enforcement
FS 3.3, 4.2
Cognito MFA + JWT validation
URS-014
Require MFA for approvals

6. Gap Analysis

Result: 100% traceability achieved. All 31 requirements have:

  • ✅ Functional design documented in FS
  • ✅ Test cases executed and verified
  • ✅ Evidence captured in IQ/OQ/PQ protocols

No gaps or untested requirements identified.

7. Related Documents

8. Approval

Quality Assurance
William O''Connell
February 1, 2026
Validation Lead
William O''Connell
February 1, 2026
← Previous: Functional SpecNext: IQ/OQ/PQ Results →