Runs on Atlassian Forge

Compliance-ready requirements management

4Spec provides the traceability, audit trails, approval workflows, and electronic signatures required by regulated industry standards.

Feature to compliance mapping

Every compliance-relevant 4Spec feature mapped to the standards it satisfies

4Spec Feature	What It Does	Regulatory Requirement
Immutable Audit Log	Every create, update, delete, approve, reject, sign, and classification change is recorded with user, timestamp, and field-level diff. Insert-only — no edits or deletions.	ISO 13485 §4.2.4, IEC 62304 §8.1, ASPICE SYS.2, DO-178C §5.5, SOX §302/404, 21 CFR Part 11 §11.10(e)
Electronic Signatures	Multi-person sign-off with meaning (Approved / Reviewed / Verified), signer identity, optional comment, and timestamp.	21 CFR Part 11 §11.50, ISO 13485 §4.2.4, DO-178C Table A-3
Approval Workflow	State machine: Draft → In Review → Approved → Obsolete. Configurable minimum signers. Auto-revert to Draft on edit.	ISO 13485 §7.3.2, ASPICE SYS.2.BP7, DO-178C §5.1
Safety Classification	Per-requirement ASIL (ISO 26262), DAL (DO-178C), Risk Class (IEC 62304), or custom scheme. Filterable in reports.	ISO 26262 Part 3, DO-178C §2.3, IEC 62304 §4.3
Bidirectional Traceability	Requirements linked to Jira issues via native issue links. Coverage badges (Covered/Partial/Uncovered). Traceability matrix view.	ISO 13485 §7.3.6, ASPICE SYS.2.BP8, DO-178C §5.5, IEC 62304 §5.7
Coverage Analysis	Per-requirement and project-level coverage tracking. Gap detection filter shows uncovered requirements.	DO-178C Table A-7, ASPICE SYS.5, ISO 26262 Part 8
Baselines	Point-in-time snapshots capturing requirements, tree structure, test case links, coverage status, and execution results. Immutable once created.	ISO 13485 §4.2.4, ASPICE SUP.10, DO-178C §7.2, IEC 62304 §6.1
Baseline Comparison	Diff two baselines: added/removed/modified requirements, coverage delta, test case changes. Color-coded change indicators.	ASPICE SUP.10.BP5, DO-178C §5.5
Compliance Report	Audit-ready report: requirement → approval status → safety class → coverage → signatures → test results → defects. Export as HTML.	ISO 13485 §8.2.4, DO-178C §10.0, SOX §404, FDA 510(k)
Document Generation	Structured specification export (Markdown/HTML) with section numbering, approval status, safety class, signatures, test links.	ISO 13485 §4.2.3, DO-178C §11.0
Impact Analysis	2-level downstream traversal: requirement → linked stories/tasks → their subtasks/bugs.	ASPICE SYS.2.BP9, DO-178C §5.5, ISO 26262 Part 8
Advanced CSV Export	Selectable fields including approval status, safety class, signature count. For external audit tools.	General audit evidence requirement
Data Residency	All data stored within Atlassian infrastructure (Forge + SQL). No external API calls, no data egress. "Runs on Atlassian" badge.	GDPR Art. 44-49, SOC 2 Type II, data sovereignty requirements

Standards coverage

How 4Spec maps to each regulatory framework

ISO 13485 / IEC 62304

Medical Devices

Audit log → §4.2.4 Document control records
Approval workflow → §7.3.2 Design review records
Traceability → §7.3.6 Design verification/validation
Baselines → §4.2.4 Version-controlled snapshots
E-signatures → §4.2.4 Approval records
Compliance report → §8.2.4 Internal audit evidence

ASPICE / ISO 26262

Automotive

Requirements tree → SYS.2 Structured requirements
Safety classification → ASIL levels (A-D, QM)
Traceability matrix → SYS.2.BP8 Bidirectional traceability
Impact analysis → SYS.2.BP9 Change impact analysis
Baselines → SUP.10 Configuration management
Baseline comparison → SUP.10.BP5 Change tracking

DO-178C / DO-254

Aerospace & Defense

Coverage analysis → Table A-7 Structural coverage
Approval workflow → §5.1 Software planning
Audit log → §5.5 Software configuration management
Safety classification → DAL levels (A-E)
Baselines → §7.2 Configuration identification
Document generation → §11.0 Software life cycle data

SOX / GxP / 21 CFR Part 11

Finance & Pharma

Audit log → SOX §302/404, 21 CFR §11.10(e)
E-signatures → 21 CFR §11.50-11.100
Approval workflow → SOX §404 Internal controls
Data residency → SOC 2 Type II, GDPR
Compliance report → SOX §404 Evidence documentation

How 4Spec maps to your standard

Detailed mapping for the four most common regulatory frameworks

ISO 13485 / IEC 62304 Medical Devices

ISO 13485 requires documented evidence of design controls, traceability, and change management. IEC 62304 adds software-specific lifecycle requirements. 4Spec provides:

Clause	Requirement	4Spec Feature
§4.2.4	Control of records — documented evidence of conformity	Immutable audit log with field-level diffs
§4.2.4	Approval records with signatures	Electronic signatures with meaning, identity, timestamp
§7.3.2	Design and development planning — review records	Approval workflow (Draft → In Review → Approved)
§7.3.6	Design verification — traceability to design input	Traceability matrix with coverage badges
§7.3.7	Design validation — test evidence	Test execution with step results, cycles, defect links
§8.2.4	Internal audit — audit evidence documentation	Compliance report (req → approval → safety → tests)
IEC 62304 §4.3	Software safety classification	Risk Class scheme (A/B/C) per requirement
IEC 62304 §5.7	Software verification — requirements traceability	Bidirectional req ↔ test case links

ASPICE / ISO 26262 Automotive

ASPICE defines process areas for requirements engineering (SYS.2) and configuration management (SUP.10). ISO 26262 adds safety integrity levels. 4Spec provides:

Process Area	Requirement	4Spec Feature
SYS.2	Structured requirements specification	Requirements tree with folders, types, auto-generated IDs
SYS.2.BP7	Requirements review and approval	Approval workflow with configurable reviewers
SYS.2.BP8	Bidirectional traceability	Traceability matrix (req → issue → test case)
SYS.2.BP9	Change impact analysis	Impact analysis panel (2-level downstream traversal)
SYS.5	Verification coverage analysis	Coverage analysis with gap detection filter
SUP.10	Configuration management — baselines	Immutable baselines with comparison diffs
SUP.10.BP5	Change tracking across baselines	Baseline comparison: added, removed, changed items
ISO 26262 Part 3	ASIL classification	ASIL safety scheme (QM, A, B, C, D) per requirement

DO-178C / DO-254 Aerospace & Defense

DO-178C defines objectives for software lifecycle processes by Design Assurance Level. 4Spec provides:

Section	Objective	4Spec Feature
§2.3	Software level assignment (DAL A-E)	DAL safety classification scheme per requirement
§5.1	Software planning — review and approval processes	Approval workflow with electronic signatures
§5.5	Software configuration management	Immutable audit log + baselines
Table A-3	Verification of outputs — review evidence	Electronic signatures with meaning and timestamp
Table A-7	Structural coverage analysis	Coverage analysis with uncovered requirement filter
§7.2	Configuration identification — baselines	Point-in-time baselines, immutable once created
§10.0	Software compliance — audit reporting	Compliance report with full traceability chain
§11.0	Software lifecycle data — document generation	Structured spec export (HTML/Markdown), numbered sections

SOX / GxP / 21 CFR Part 11 Finance & Pharma

SOX mandates internal controls documentation. 21 CFR Part 11 defines requirements for electronic records and signatures. 4Spec provides:

Regulation	Requirement	4Spec Feature
SOX §302	CEO/CFO certification of internal controls	Compliance report documenting full control chain
SOX §404	Assessment of internal controls effectiveness	Audit log + approval records as evidence
21 CFR §11.10(e)	Audit trail for record changes	Immutable, insert-only audit log with field diffs
21 CFR §11.50	Signed electronic records — signer identity	Electronic signatures with user, meaning, timestamp
21 CFR §11.70	Signature/record linking	Signatures stored as immutable audit entries
GDPR Art. 44-49	Data transfer restrictions	All data on Atlassian Forge — no external servers
SOC 2 Type II	Infrastructure security controls	Runs on Atlassian infrastructure (SOC 2 certified)