Compliance Mapping
Use this matrix to align TRF artifacts with common automotive and AI compliance requirements. The goal is to reuse the same evidence package across multiple audits.
| Evidence area | ISO 26262 | Automotive SPICE | UN-R155/R156 | AI/ML Governance |
|---|---|---|---|---|
| Requirements management | requirement, safety_requirement | SYS.2, SWE.1 | Update policies (ota_campaign) | Model requirements (requirement with tags: ["ml"]) |
| Hazard/threat analysis | hazard, safety_goal | MAN.3 risk tracking | threat, vulnerability, risk_assessment | Algorithm impact assessments (risk_analysis) |
| Architecture & design | design, component | SYS.3, SWE.3 | Security controls (control) | Model architecture (model with lineage) |
| Verification & validation | test, coverage reports | SWE.5/SWE.6 | Post-update tests, monitoring reports | Model validation metrics, dataset coverage |
| Configuration/change control | manifest.json, change request links | SUP.1, SUP.8 | CSMS operation records | Experiment logs (experiment) |
| Production & deployment | work_instruction, maintenance_plan | SUP.9 | Deployment reports (ota_campaign) | Deployment monitoring (runtime_monitor) |
Creating multi-standard packs
- Choose a primary profile (e.g.,
automotive_safety). - Add extensions for additional domains (
ai_ml,cybersecurity). - Define validation targets per standard (ASIL coverage, regression coverage, vulnerability remediation coverage).
- Tag artifacts with relevant standards (
tags: ["ISO26262", "UNR155"]).
Reporting shortcuts
tw export --format iso26262– Safety summary (requirements, hazards, verification status).tw export --format aspice– Process-oriented summary keyed by base practices.tw export --format unr155– Cybersecurity posture summary with threat/control mapping.tw export --format ai-governance– Dataset/model lineage and bias metrics.
Sharing with stakeholders
- Supply chain partners can deliver their own TWPack files; import them using
tw mergeand preserve provenance via signatures. - Auditors receive the TWPack plus targeted HTML/PDF exports; they can verify signatures independently.
- Regulatory submissions reference package checksums and repository tags to ensure authenticity.
For concrete examples, review sector-specific guides in Use Cases.