Regulatory standards referenced
TRACE ALM is built specifically to satisfy the standards below. Each is referenced from individual rules in the strictdoc-requirements skill file via tags like [62304 §5.2.2] so each design decision can be traced back to its regulatory basis.
| Standard | Full title | Why it matters here |
|---|---|---|
| ISO 62304:2006+AMD1:2015 | Medical-device software — Software life-cycle processes | The core software-lifecycle standard. Drives most of TRACE ALM’s process structure (requirements management, change control, verification, problem resolution). |
| ISO 14971:2019 | Application of risk management to medical devices | Risk-control measures that flow into software requirements (SRS items with TYPE: safety). The §4.5 traceability chain — risk control → requirement → test — is what TRACE ALM closes via typed-link relations. |
| ISO 13485:2016 | Quality management systems — requirements for regulatory purposes | Document control, change control, training records, supplier control. The CODEOWNERS-gated review flow is TRACE ALM’s implementation of 13485-style controlled documents. |
| IEC 81001-5-1 | Health software and health IT systems safety, effectiveness and security — Part 5-1: Security activities in the product life cycle | Security activities and SOUP management. Drives the TYPE: security requirements (encryption at rest, authentication, audit logging, threat-model linkage). |
| 21 CFR Part 11 | FDA — Electronic records; electronic signatures (subpart B sections §11.10, §11.30, §11.50, §11.70, §11.200) | Audit trails, electronic signatures, system access controls. The two-layer signing chain (auto-stamp + Signet) is TRACE ALM’s response to Part 11. See the Part 11 strategy page. |
| HIPAA Security Rule (45 CFR §164.312) | Standards for security of electronic protected health information | Audit controls (§164.312(b)) and integrity (§164.312(c)). Drives audit-log requirements on regulated operations and database-encryption-at-rest requirements. |
| FDA CSA (Computer Software Assurance) guidance | Computer Software Assurance for Production and Quality System Software | Tool qualification approach for the regulated tools TRACE ALM relies on (StrictDoc, post-processor, auto-stamp, VisionTrace, Signet). Foundation plan item 7. |
| OWASP ASVS V6 | Application Security Verification Standard — stored cryptography requirements | Referenced from TYPE: security items concerning credential storage. |
Where each appears
Section titled “Where each appears”A non-exhaustive cross-reference of where these standards drive specific TRACE ALM behaviour. Some entries reference requirements planned for the regulatory-docs/ graph (10_system.sdoc, 11_srs.sdoc, or 20_architecture.sdoc) that are not yet authored; they are listed here as illustrative of the kind of mapping each standard produces, and the actual items will land in subsequent PRs.
SRS-001(first-launch DB initialisation) — ISO 62304 §5.2.2 a) functional behaviour; ISO 13485 §4.2.4 controlled records- Future security req — encryption at rest (planned, not yet authored) — HIPAA Security Rule §164.312(a)(2)(iv); IEC 81001-5-1
- Future regulatory req — audit log of regulated operations (planned, not yet authored) — 21 CFR Part 11 §11.10(e); 45 CFR §164.312(b)
- Future safety req — block session on high impedance (illustrative example) — ISO 62304 §5.2.3 + ISO 14971 §7
- CODEOWNERS gating — ISO 13485 §4.2.4 (controlled documents)
- Auto-stamp
REVIEWED_HASH— ISO 62304 §8.2 (configuration management); ISO 13485 §4.2.4 - The
--fail-on-suspectgate — ISO 13485 §4.2.4 (no document changes without controlled review); ISO 62304 §8.2.4 (change control) - Signet release signatures — 21 CFR Part 11 §11.50, §11.70
For the canonical list of every rule and its standard tag, read the skill file directly.