IEC 62304 (Medical Device Software)
The fda-iec-62304 pack enforces rules for medical device software lifecycle per IEC 62304 and 21 CFR Part 11.
Enable
sentrik add-pack fda-iec-62304
Rules
The pack includes 31 rules across traceability, code enforcement, documentation obligations, and ML/AI-specific checks. Code rules cover Python, JavaScript/TypeScript, Java, C#, C/C++, and Go.
Traceability rules (1)
| ID |
Name |
Severity |
Description |
| IEC62304-TRACE-001 |
traceability-header |
high |
Source files must contain a traceability reference (REQ-xxx, SRS-xxx, REQUIREMENT:, etc.) |
Code rules (20)
Python
| ID |
Name |
Severity |
Description |
| IEC62304-CODE-001 |
no-assert-in-production |
medium |
assert statements must not be used for production error handling |
| IEC62304-CODE-002 |
no-generic-exception-handling |
high |
Bare except Exception hides errors and violates traceability |
| IEC62304-CODE-003 |
no-hardcoded-credentials |
critical |
Hardcoded credentials violate 21 CFR Part 11 access control |
| IEC62304-5.5.5 |
no-unsafe-memory-ops |
high |
Direct memory operations via ctypes/mmap require safety review |
| IEC62304-CODE-005 |
no-todo-in-medical |
medium |
TODO/FIXME/HACK/XXX comments indicate incomplete work (multi-language) |
JavaScript / TypeScript
| ID |
Name |
Severity |
Description |
| IEC62304-CODE-006-JS |
no-process-exit-medical |
high |
process.exit() causes uncontrolled termination |
| IEC62304-CODE-007-JS |
no-settimeout-string-eval |
critical |
setTimeout/setInterval with string arguments implicitly calls eval() |
Java
| ID |
Name |
Severity |
Description |
| IEC62304-CODE-002-JAVA |
no-generic-catch-java |
high |
Catching generic Exception hides errors |
| IEC62304-CODE-008-JAVA |
no-system-exit-medical-java |
high |
System.exit() causes uncontrolled shutdown |
| IEC62304-CODE-009-JAVA |
no-thread-sleep-medical-java |
medium |
Thread.sleep() blocks and can cause unresponsive behavior |
C
| ID |
Name |
Severity |
Description |
| IEC62304-CODE-002-CS |
no-generic-catch-cs |
high |
Catching generic Exception hides errors |
C/C++
| ID |
Name |
Severity |
Description |
| IEC62304-CODE-001-CPP |
no-assert-in-production-cpp |
medium |
assert macros must not be used for production error handling |
| IEC62304-5.5.5-CPP |
no-unsafe-memory-ops-cpp |
high |
malloc, realloc, free, strcpy, sprintf, gets require safety review |
| IEC62304-CODE-006-CPP |
no-signal-handling-cpp |
high |
Signal handlers are unsafe due to undefined behavior |
| IEC62304-CODE-007-CPP |
no-goto-cpp |
high |
goto is banned in safety-critical software |
| IEC62304-5.5.5-CPP2 |
no-dynamic-memory-realloc-cpp |
high |
realloc() risks data loss and undefined behavior on failure |
| IEC62304-5.5.5-CPP3 |
no-dynamic-memory-calloc-cpp |
high |
calloc() dynamic allocation requires safety review |
Multi-language
| ID |
Name |
Severity |
Languages |
Description |
| IEC62304-CODE-003 |
no-hardcoded-credentials |
critical |
All |
Hardcoded credentials violate 21 CFR Part 11 |
| IEC62304-CODE-004 |
no-eval-exec |
critical |
Python, JS/TS |
Dynamic code execution via eval()/exec() is prohibited |
| IEC62304-CODE-005 |
no-todo-in-medical |
medium |
All |
TODO/FIXME/HACK/XXX indicate incomplete work |
Go
| ID |
Name |
Severity |
Description |
| IEC62304-CODE-010-GO |
no-panic-medical-go |
high |
panic() causes uncontrolled crash |
| IEC62304-CODE-011-GO |
no-os-exit-medical-go |
high |
os.Exit() terminates without running deferred functions |
Documentation obligations (8)
| ID |
Name |
Clause |
Description |
| IEC62304-5.1.1 |
software-development-plan |
5.1.1 |
A Software Development Plan must be established and maintained |
| IEC62304-5.1.6 |
software-verification-plan |
5.1.6 |
A Software Verification Plan must define verification activities |
| IEC62304-5.2.1 |
software-requirements-specification |
5.2.1 |
Software requirements must be documented and traceable |
| IEC62304-5.3.1 |
architecture-documentation |
5.3.1 |
Software architecture must be documented |
| IEC62304-5.4.1 |
detailed-design |
5.4.1 |
Detailed design documentation required for Class C |
| IEC62304-6.1 |
maintenance-plan |
6.1 |
A Software Maintenance Plan must be established |
| IEC62304-7.1.1 |
risk-analysis |
7.1.1 |
Software risk analysis per ISO 14971 must be documented |
| IEC62304-8.1.1 |
configuration-management |
8.1.1 |
A Configuration Management system must be established |
ML/AI rules (2)
| ID |
Name |
Clause |
Description |
| IEC62304-ML-001 |
training-data-provenance |
5.2.1 |
ML models must have documented training data provenance |
| IEC62304-ML-002 |
model-validation-protocol |
5.1.6 |
ML model validation protocol must be documented and executed |
Use case
Medical device companies using AI coding agents to develop software need to demonstrate IEC 62304 compliance to FDA (510(k)/PMA) and EU MDR notified bodies. This pack:
- Enforces code traceability — Every source file links to a requirement
- Catches unsafe patterns — Type casts, missing input validation, error handling gaps
- Tracks documentation obligations — All IEC 62304 clauses appear in reports for audit evidence
- Supports Class A/B/C — Rules can be customized per software safety class via overrides
Combining with other packs
IEC 62304 works well alongside owasp-top-10 for web-connected medical devices:
standards_packs:
- fda-iec-62304
- owasp-top-10