5.0: Agile and ASPICE

Introduction

Agile development emphasizes rapid iteration, customer collaboration, and working software. ASPICE demands documented processes, traceability, and comprehensive verification. Many believe these are contradictory—but they're actually complementary when implemented correctly. This chapter shows how to achieve ASPICE CL2/CL3 using Agile methods.

The Perceived Conflict

Common Misconceptions

Misconception Reality
"Agile means no documentation" Agile values working software OVER comprehensive documentation, not instead of it
"ASPICE requires waterfall" ASPICE is process-agnostic; it specifies WHAT to achieve, not HOW
"Agile is too fast for ASPICE reviews" Agile's frequent reviews (sprint reviews, retrospectives) align perfectly with ASPICE SUP.1
"You can't do ASPICE in 2-week sprints" Sprint artifacts (user stories, DoD, acceptance tests) ARE ASPICE work products

Truth: Agile and ASPICE are complementary. Agile provides the delivery cadence; ASPICE ensures quality and traceability.

Agile V-Model

Combining Agile Iterations with V-Model Structure

This diagram shows how Sprint 0 establishes the V-Model baseline by defining the process framework, toolchain, and initial architecture before iterative development begins.

Sprint 0 Baseline

Key Insight: Each sprint completes a mini V-cycle for a feature increment.

ASPICE Processes in Agile Context

Mapping Agile Artifacts to ASPICE Work Products

ASPICE Process Traditional Work Product Agile Equivalent Storage
SYS.2 System Req System Requirements Specification Epic descriptions + acceptance criteria Jira Epics + Confluence
SWE.1 SW Req Software Requirements Specification User Stories + Definition of Done (DoD) Jira Stories
SWE.2 SW Arch Software Architecture Document Architecture Decision Records (ADR) Markdown in docs/architecture/
SWE.3 SW Design Detailed Design Document Code + inline comments + README Git repository
SWE.4 Unit Test Unit Test Specification + Report Unit tests (pytest, Unity) + CI report Git tests/ + CI artifacts
SWE.5 Integration Test Integration Test Spec + Report Integration tests + HIL tests Git tests/integration/ + CI
SWE.6 Qualification Test Qualification Test Spec + Report Acceptance tests (Gherkin, Robot Framework) Git tests/acceptance/
SUP.1 QA Quality Audit Reports Independent QA reviews + Retrospectives QA reports in Confluence
SUP.8 Config Mgmt Configuration Management Plan Git branching strategy + tagging CONTRIBUTING.md in Git
SUP.9 Problem Res Problem Reports Jira Bugs Jira
SUP.10 Change Mgmt Change Requests Jira Change Requests Jira
MAN.3 Project Mgmt Project Plan Sprint Planning + Burndown Charts Jira + Confluence

Important — SUP.1 Independence: ASPICE requires organizational independence for quality assurance. Sprint Reviews and Retrospectives satisfy communication and reflection practices but cannot fulfill independent QA. A dedicated QA Engineer who is not a member of the Scrum team must review outputs against ASPICE process criteria. The QA function must report through a separate management chain.

Conclusion: Agile artifacts satisfy ASPICE requirements when properly structured.

Sprint as ASPICE Work Product Container

Sprint Anatomy

The following diagram breaks down a typical sprint flow, showing how ASPICE work products are generated at each stage from planning through implementation, review, and retrospective.

Sprint Flow

Evidence Collection: Each sprint generates ASPICE work products organically.

Definition of Done (DoD) as ASPICE Quality Gate

Sprint DoD Checklist

# Definition of Done (DoD) - ASPICE CL2 Compliant

## Feature-Level DoD (per User Story)

### SWE.1 (Requirements)
- [ ] User Story has clear acceptance criteria
- [ ] Story traced to parent Epic (bidirectional link in Jira)
- [ ] Acceptance criteria are testable

### SWE.3 (Design & Implementation)
- [ ] Code written and committed to feature branch
- [ ] Code adheres to coding standard (MISRA C:2012)
- [ ] Static analysis passed (0 critical/high findings)
- [ ] Code review completed (2 approvals)

### SWE.4 (Unit Testing)
- [ ] Unit tests written for all new functions
- [ ] Code coverage ≥ 80% (branch coverage)
- [ ] All unit tests pass in CI

### SWE.6 (Acceptance Testing)
- [ ] Acceptance tests written (Gherkin scenarios OR manual test cases)
- [ ] Acceptance tests executed and passed
- [ ] Product Owner accepts the story

### SUP.8 (Configuration Management)
- [ ] Feature branch merged to `develop`
- [ ] PR linked to Jira story (traceability)

### SUP.9 (Problem Resolution)
- [ ] No open bugs related to this story

---

## Sprint-Level DoD (per Sprint)

### Integration
- [ ] All stories integrated into `develop` branch
- [ ] Integration tests pass (SWE.5)
- [ ] No regression failures

### Documentation
- [ ] README.md updated (if architecture changed)
- [ ] API documentation generated (Doxygen)

### Quality
- [ ] SonarQube quality gate passed
- [ ] No critical security vulnerabilities (Trivy scan)

### Release Readiness
- [ ] Demo performed in Sprint Review
- [ ] Sprint Retrospective completed
- [ ] Next sprint backlog refined

---

**ASPICE Mapping**:
- DoD = Quality Criteria (SUP.1 BP3: Establish quality criteria)
- DoD Checklist = Verification Gate (SWE.4-6: Verification activities)

Agile Roles and ASPICE Responsibilities

Agile Role ASPICE Responsibility Example Activities
Product Owner Requirements Management (SWE.1) Define Epics, refine User Stories, accept stories in Sprint Review
Scrum Master Process Assurance (SUP.1) Ensure DoD is followed, facilitate retrospectives, remove blockers
Development Team Design, Implementation, Verification (SWE.2-6) Code, test, review, integrate
Architect Architectural Design (SWE.2, SYS.3) Define Architecture Decision Records (ADRs), review PRs affecting architecture
QA Engineer Independent Verification (SUP.1) Conduct integration tests, security tests, audit compliance
Release Manager Configuration Management (SUP.8) Manage releases, tagging, branching strategy

No Additional Roles Needed: Existing Agile roles cover ASPICE responsibilities.

Continuous ASPICE Compliance

CI/CD as ASPICE Evidence Generator

# .github/workflows/aspice-compliance-check.yml

name: ASPICE Compliance Gate

on:
  pull_request:
    branches: [develop, main]

jobs:
  aspice-compliance:
    runs-on: ubuntu-latest

    steps:
      # SWE.3 BP5: Coding standards compliance
      - name: MISRA C Check
        run: cppcheck --addon=misra src/

      # SWE.4 BP3: Unit tests execution
      - name: Run Unit Tests
        run: pytest tests/unit/

      # SWE.4 BP4: Coverage check
      - name: Check Code Coverage
        run: |
          coverage run -m pytest
          coverage report --fail-under=80

      # SWE.3 BP7: Code review enforcement
      - name: Require 2 Approvals
        uses: actions/github-script@v6
        with:
          script: |
            const reviews = await github.rest.pulls.listReviews({
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.payload.pull_request.number
            });
            const approvals = reviews.data.filter(r => r.state === 'APPROVED').length;
            if (approvals < 2) {
              core.setFailed('Requires 2 approvals (ASPICE SWE.3 BP7)');
            }

      # SUP.8 BP5: Traceability check
      - name: Verify Jira Link
        run: |
          PR_BODY="${{ github.event.pull_request.body }}"
          if ! echo "$PR_BODY" | grep -qE '\[SWE-[0-9]+\]'; then
            echo "ERROR: PR must reference Jira story (e.g., [SWE-123])"
            exit 1
          fi

      # SWE.6: Generate test report
      - name: Upload Test Results
        uses: actions/upload-artifact@v3
        with:
          name: test-results
          path: test-reports/

**Result**: Every PR merge generates ASPICE-compliant evidence automatically.

Agile ASPICE Assessment Evidence

What Assessors Look For

ASPICE Process Evidence Location (Agile) Assessor Verification
SWE.1 BP1 Jira User Stories Assessor reviews sample stories, checks acceptance criteria
SWE.1 BP5 Jira Epic→Story links Assessor verifies traceability matrix (can be auto-generated)
SWE.2 BP1 docs/architecture/ADR-*.md Assessor reviews Architecture Decision Records
SWE.3 BP6 Git commits Assessor samples code, verifies it implements requirements
SWE.3 BP7 GitHub PR approvals Assessor checks PR history, verifies 2+ reviewers
SWE.4 BP3 CI/CD pipeline logs Assessor reviews test execution logs, coverage reports
SWE.6 BP3 Sprint Review recordings Assessor watches demo video, checks acceptance
SUP.1 BP4 Retrospective notes (Confluence) Assessor reviews meeting minutes, checks for QA activities
SUP.8 BP3 Git branching strategy doc Assessor verifies controlled merges, protected branches
MAN.3 BP10 Sprint Burndown Charts (Jira) Assessor reviews progress tracking, velocity trends

Tip: Keep a "Evidence Collection" Confluence page with links to all ASPICE artifacts.

Summary

Agile and ASPICE Integration:

  • Not Contradictory: Agile focuses on delivery cadence, ASPICE on process quality
  • Agile Artifacts = ASPICE Work Products: User Stories = SWE.1, DoD = Quality Gate
  • Sprints = Mini V-Cycles: Each sprint performs Requirements → Design → Code → Test
  • CI/CD = Evidence Generator: Automated pipelines produce ASPICE-compliant reports
  • No Extra Overhead: Existing Agile practices (reviews, retrospectives) satisfy SUP.1
  • Assessor-Friendly: Digital artifacts (Jira, Git, CI logs) easily auditable

Chapter Structure:

  1. 22.01 Agile Principles in ASPICE Context - Mapping Agile values to ASPICE practices
  2. 22.02 Sprint Work Products - Detailed sprint artifact templates
  3. 22.03 Continuous ASPICE Compliance - Automation strategies for continuous evidence
Previous
Tool Qualification
Next
Agile Principles in ASPICE Context