How sentrik Enforces IEC 62304 in CI/CD

The IEC 62304 challenge

IEC 62304 defines the software development lifecycle for medical device software. If you're building software that's part of a medical device — whether it's a patient monitor, diagnostic tool, or health data platform — you need to demonstrate compliance to FDA (510(k)/PMA) or EU MDR notified bodies.

The standard requires:

• Traceability from requirements to source code
• Input validation and error handling in safety-critical paths
• Documentation for each development phase (clauses 5.1 through 5.8)
• Verification and testing evidence

Traditionally, this means months of manual documentation, spreadsheet-based traceability matrices, and gate reviews. With AI coding agents generating code at scale, the manual approach breaks down.

Automating compliance with sentrik

sentrik's fda-iec-62304 standards pack automates IEC 62304 compliance checks. Here's how to set it up.

Step 1: Install and configure

npm install -g sentrik
sentrik add-pack fda-iec-62304      # Or auto-detected from README

The IEC 62304 pack includes 14 rules:

• 4 code rules — traceability headers, unsafe casts, input validation, error handling
• 8 documentation obligations — one per IEC 62304 clause (5.1 through 5.8)
• 2 ML/AI rules — model validation and data provenance (for AI-enabled devices)

Step 2: Add traceability headers

The pack requires every source file to contain a traceability header linking to a requirement:

"""Patient data processor.

Requirement: REQ-001 — Patient data ingestion
IEC 62304 Class: B
"""

Files without this header are flagged as high severity. AI coding agents can be instructed to include these headers, and sentrik catches it when they don't.

Step 3: Add to CI/CD

Add sentrik as a gate on every pull request:

# .github/workflows/iec62304-gate.yml
name: IEC 62304 Gate
on: [pull_request]

jobs:
  compliance:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - run: npm install -g sentrik
      - run: sentrik gate --git-range "origin/main...HEAD" --decorate-pr
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Every PR is now scanned against IEC 62304 rules. Critical and high findings block the merge. Findings are posted as inline PR comments.

Step 4: Track documentation obligations

IEC 62304 requires documentation at each phase. sentrik tracks these as documentation_obligation rules — they appear in reports but never fail the gate, because they're not code-enforceable.

Generate an HTML report for your auditor:

sentrik report --format html

The report shows a compliance checklist with each IEC 62304 clause, its status, and remediation guidance.

Step 5: Reconcile with work items

Link findings to your DevOps work items automatically:

sentrik reconcile --dry-run    # Preview what will happen
sentrik reconcile              # Create/update/close work items

This creates a traceable chain from requirement → code → finding → work item — exactly what auditors need to see.

What auditors see

When an auditor asks "how do you ensure IEC 62304 compliance?", you can show:

1. CI/CD gate history — every PR was scanned against IEC 62304 rules
2. SARIF reports — machine-readable compliance evidence
3. HTML reports — human-readable with severity charts and documentation checklists
4. Audit log — every scan, gate, and reconcile action timestamped
5. Work item traceability — findings linked to requirements in Azure DevOps or GitHub

This is continuous compliance — not a one-time audit prep exercise, but evidence generated on every code change.

Try it

Try it on any project with medical device software. Install sentrik and scan:

npm install -g sentrik
sentrik add-pack fda-iec-62304
sentrik scan
sentrik gate

sentrik will flag missing traceability headers, unsafe code patterns, and documentation gaps. See the medical device walkthrough in the docs for a full example.