IEC 62304 compliance
automated in CI
Sentrik maps 31 rules to IEC 62304 software lifecycle clauses, enforces them on every commit, and generates the audit evidence your notified body needs. No more spreadsheet traceability.
npm install -g sentrik && sentrik scan IEC 62304 pack available on Team tier — $29/month.
The IEC 62304 Problem
Medical device software teams spend months on compliance evidence that should be automated.
typical time to prepare IEC 62304 evidence for a design review or submission
annual cost of manual compliance using Jama, DOORS, or spreadsheets
highest software safety class requires full lifecycle traceability
IEC 62304 rules mapped to specific clauses, enforced on every commit
31 Rules Mapped to IEC 62304 Clauses
Every finding cites the specific clause. Your notified body sees §5.5.3, not just a severity label.
§5.1 — Software Development Planning
Configuration management, development environment documentation, coding standards enforcement
§5.2 — Requirements Analysis
Requirements traceability, requirement coverage verification, automated drift detection
§5.3 — Architecture Design
Architecture rule enforcement, module boundary checks, dependency management
§5.5 — Unit Implementation
Coding standards (no hardcoded secrets, no eval, secure crypto), code review evidence, test coverage
§7 — Risk Management
Risk analysis documentation detection, FMEA references, ISO 14971 integration
§8 — Configuration Management
SBOM generation, dependency pinning, version control hygiene, change control evidence
Audit Evidence Your Notified Body Accepts
When they ask "show me your traceability matrix," you open the Evidence Map.
Compliance Evidence Map
Sentrik doesn't just find violations. It proves where your code satisfies each IEC 62304 requirement:
- §5.5.3 — Coding standards verified across 43 source files
- §8.1 — SBOM generated with CycloneDX format
- §7.1 — Risk management documentation found in
docs/risk-analysis.adoc - §5.2.3 — Requirements traced to implementation files
Cryptographically signed attestations (HMAC-SHA256) prove the evidence hasn't been tampered with.
From Code to Compliant in Four Steps
Scan
sentrik scan 31 IEC 62304 rules check your medical device software. Findings map to specific clauses.
Fix
AI-powered fix suggestions explain each violation and generate corrected code. Or use auto-patching for common issues.
Gate
- uses: maxgerhardson/sentrik-community@v1Every PR is checked. Non-compliant code is blocked. PR comments cite the specific IEC 62304 clause.
Evidence
sentrik compliance-map Generate the evidence map, trust center page, and signed attestation for your next design review.
Also Available: Related Medical Device Packs
Sentrik covers the full regulatory landscape for medical device software.
IEC 81001-5-1
Health software cybersecurity. 20 rules. Organization tier.
21 CFR Part 11
FDA electronic records and signatures. 16 rules. Organization tier.
ISO 14971
Medical device risk management. 16 rules. Organization tier.
HIPAA
Healthcare data protection. 25 rules. Team tier.
IEC 62304 Compliance FAQ
Does Sentrik replace Jama Connect or IBM DOORS?
Sentrik complements requirements management tools by automating the code-level traceability and evidence collection that Jama/DOORS don't do. Sentrik verifies that requirements are actually implemented in code and generates the evidence artifacts. Many teams use Sentrik for code compliance and a lighter-weight tool for requirements management.
Which software safety classes does Sentrik support?
Sentrik supports Class A, B, and C software. You can configure governance profiles (strict, standard, permissive) to match the rigor required for each safety class. Class C typically uses the strict profile with all human review gates enabled.
Can Sentrik detect risk management documentation?
Yes. The Evidence Map searches for .md, .adoc, .rst, and .txt files containing risk management keywords and links them to the relevant IEC 62304 clauses. If you have a risk-analysis.adoc, Sentrik finds it and reports it as evidence for §7.1.
Does Sentrik generate an SBOM for FDA submissions?
Yes. sentrik sbom generates a CycloneDX SBOM from your dependency manifests. This satisfies FDA guidance on software transparency and IEC 62304 §8 configuration management requirements.
How does Sentrik handle AI-generated code in medical devices?
Sentrik scans all code regardless of origin. The same 31 IEC 62304 rules apply whether code was written by a human or an AI agent. The MCP integration lets AI coding agents check compliance rules before writing code, so generated code passes the gate on the first try.
Automate IEC 62304 Compliance
31 rules on the Team tier. Try the free tier first — includes OWASP and SOC 2.
npm install -g sentrik && sentrik scan or