top of page

Requirements Traceability Matrix: A Practical Guide

  • Contributor
  • Apr 5
  • 5 min read

A requirements traceability matrix (RTM) maps each requirement to where it's designed, implemented, and tested. The artifact has a reputation as bureaucratic overhead — and full traceability often is — but lightweight traceability earns its keep, especially in regulated environments or large projects.

This guide is how to build one that helps without becoming a maintenance burden.

What an RTM Captures

For each requirement, the RTM tracks:

  • Where it's designed (which document, decision, or model)

  • Where it's implemented (which code or component)

  • Where it's tested (which test cases)

  • Its status (proposed, approved, implemented, verified)

The result is a table that lets you answer questions like:

  • "Have we built REQ-014?"

  • "What breaks if we change REQ-007?"

  • "Which requirements aren't tested yet?"

  • "Did this release deliver everything we said it would?"

Why Teams Hate RTMs

The bad RTM is a spreadsheet maintained manually, drifting from reality, providing fake assurance. Engineers tune out; auditors get a green checkmark; nobody benefits.

The bad version is heavy because it tries to map everything to everything: every requirement to every line of code, every test, every design artifact. Maintenance is impossible.

The good version is lighter, more selective, and ties to systems that update themselves where possible.

When an RTM Is Worth It

Strong fit:

  • Regulated environments where auditors expect documented mapping

  • Safety-critical systems where coverage matters legally

  • Large projects with many parallel streams

  • Multi-vendor work where each party owns part

  • Long-lived products where institutional memory matters

Poor fit:

  • Small agile teams where requirements live in tickets

  • Continuously evolving products

  • Internal tools

  • Anything where the maintenance cost would exceed the value

For most modern web product teams, a lightweight version is enough.

The Working Template

| Req ID | Description | Status | Design Ref | Implementation | Test Cases | Owner |
|--------|-------------|--------|------------|----------------|------------|-------|
| REQ-001 | Users can sign in via email/password | Implemented | ADR-005 | auth/login.py | TC-101, TC-102 | Auth team |
| REQ-002 | Email verification on signup | Implemented | ADR-005 | auth/verify.py | TC-105 | Auth team |
| REQ-003 | Password reset via email | In progress | ADR-009 | auth/reset.py | TC-110 | Auth team |

A spreadsheet, a database, or a Jira view — pick the tool. The format matters less than what it captures.

The Lightweight Approach

For most teams:

  • Requirements live in tickets (Jira, Linear, etc.)

  • Tests link to requirement tickets (test name or comment references REQ-014)

  • Code links to requirement tickets (PR descriptions reference REQ-014)

  • The "RTM" is queries against the ticket system ("show all unfinished requirements")

This produces traceability without a separate document to maintain. The ticket system is already the source of truth.

The Heavyweight Approach

For regulated environments:

  • Formal requirements document with IDs

  • Design documents that explicitly reference requirement IDs

  • Test cases with explicit requirement coverage

  • Code modules linked to requirements

  • Periodic audits verifying the matrix is current

The overhead is significant but justified when external parties need traceability evidence.

Bidirectional Traceability

Forward traceability: from requirement to implementation and tests. Answers "is REQ-014 done?"

Backward traceability: from code or test to requirements. Answers "why does this code exist?"

Both are useful. Forward catches gaps in delivery. Backward catches code that's not requirement-justified (often a sign of scope creep).

Coverage Metrics

The RTM enables specific coverage metrics:

  • Requirements coverage by tests: percentage of requirements with at least one verifying test

  • Requirements coverage by implementation: percentage built

  • Test alignment: percentage of tests linked to specific requirements

For regulated environments, near-100% coverage on the first metric is expected. For others, it's a diagnostic.

What Goes in vs. Stays Out

In an RTM:

  • Functional requirements

  • Non-functional requirements

  • Compliance requirements

  • Acceptance criteria (sometimes)

Generally not:

  • Implementation details

  • Project tasks

  • Status reports

  • Design rationale (lives in ADRs)

The RTM is about requirements, not all work.

Maintaining It

The biggest risk is staleness. Mitigations:

  • Update at PR review. Any PR that addresses a requirement updates the link.

  • Auto-generation where possible. Tooling that scans code for @requirement REQ-014 annotations.

  • Periodic audits. Quarterly or pre-release walk-through.

  • Owner per requirement. Someone responsible for keeping its row current.

Without active maintenance, the RTM becomes worse than nothing — it lies.

Tools

Options:

  • Spreadsheets for small-scale or one-time projects

  • Jira (with custom fields) for many software teams

  • Polarion, DOORS for regulated/enterprise contexts

  • Custom databases or wiki tables for specific needs

The right tool depends on scale. Spreadsheets are fine for dozens of requirements; they collapse at thousands.

When Things Change

Requirements evolve. Implementations evolve. Tests evolve. The RTM has to keep up.

Patterns:

  • Add new requirements with new IDs; don't renumber.

  • Mark deprecated requirements rather than deleting (audit history).

  • Version the RTM if requirements change substantially.

  • Track changes to specific rows.

Treat the RTM with the same versioning discipline as code.

Common Mistakes

Maintenance theater. RTM exists; nobody updates it. Provides false assurance.

Bidirectional copying. Engineers manually update the RTM with what they did. Drift guaranteed.

Over-decomposition. Thousands of "requirements" that are really tasks. RTM becomes unmaintainable.

Coverage gaming. Tests added solely to satisfy coverage metrics, not to verify behavior.

Tool obsession. Spending more time on the RTM tool than on the work.

Audit-Driven RTMs

In regulated environments, the RTM is for auditors. Two patterns:

Continuous: maintained as work progresses. Always current. Higher day-to-day cost; lower audit cost.

Audit-time: built specifically for audits. Cheap day-to-day; expensive when audit hits.

Continuous is usually less total cost despite the higher day-to-day overhead. Audit-time builds tend to lose detail that the day-to-day knowledge would have captured.

A Worked Example

For an authentication module:

| Req ID | Description | Status | Design | Code | Tests |
|--------|-------------|--------|--------|------|-------|
| REQ-001 | Sign in via email/password | Implemented | ADR-005 | auth/login.py | tc_signin_valid, tc_signin_invalid, tc_signin_locked |
| REQ-002 | Email verification before activation | Implemented | ADR-005 | auth/verify.py | tc_verify_token_valid, tc_verify_token_expired |
| REQ-003 | Password reset via email | In progress | ADR-009 | auth/reset.py (in PR) | tc_reset_request, tc_reset_complete |
| REQ-004 | Sign-in rate limiting | Implemented | ADR-010 | auth/middleware.py | tc_rate_limit_enforced, tc_rate_limit_window |
| REQ-005 | Session expiry after 24h | Implemented | ADR-005 | auth/session.py | tc_session_expires |
| REQ-006 | MFA via TOTP | Backlog | - | - | - |

Six requirements. Five built and tested; one in progress; one planned. Clear status; clear traceability.

Key Takeaway

A requirements traceability matrix maps requirements to design, code, and tests. Heavy when forced everywhere; useful when lightweight and selective. For most teams, traceability through the ticket system is enough — requirements are tickets, tests and PRs reference ticket IDs, queries answer traceability questions. For regulated environments, formal RTMs are worth the maintenance cost. Update continuously rather than at audit time. Treat it as a source of truth, not paperwork; update with the same discipline as code.

Related reading

Keep learning. This article is part of the Requirements & Business Process Improvement path in the ShiftQuality Learning Center. Elicit, prioritize, and trace requirements that survive reality.

bottom of page