IEC 62304 validation in seconds, not hours.

Submit a code diff, pick a risk class, get a CSA-aligned compliance verdict, an audit-ready rationale, and a SHA-256 attestation hash. File the hash in your Design History File. Move on with your day.

Get started How it works

The CSV tax

FDA finalized CSA guidance in September 2025. Risk-based critical thinking replaces script-heavy documentation. The old tooling doesn't fit the new framework, and the new framework has no tooling. That's the gap.

1–1.5x
validation cost on top of implementation
Source: Axendia / MedTech Intelligence, 2018
25%
of project cost goes to documentation alone
Source: LearnGxP (GAMP/ISPE)
$150–500/hr
consultant rates for validation support
Source: MedEnvoy, 2024
Only 14%
of professionals strongly understand CSA
Source: ISPE, Sept 2024

Still 0 purpose-built CSA tools on the market. That's the gap VibeVal fills.

How it works

One API call. Three components do the work: a deterministic rule engine, a Claude-powered rationale generator, and a tamper-evident attestation hash.

Step 1

Submit the diff

POST your code change with the IEC 62304 risk class (A, B, or C) and a short context.

Step 2

Rules check structure

Deterministic rules verify the diff includes required artifacts per risk class — tests, traceability IDs, risk analysis, formal verification.

Step 3

Engine generates rationale

A CSA-style critical thinking rationale explaining why the change is or isn't compliant against IEC 62304 §5.5–5.7.

Step 4

Hash gets filed

A SHA-256 attestation of the inputs and result. Tamper-evident. Goes straight into the Design History File.

What you send and what you get

Real shape of the API. Submit on the left, response on the right.

Request

POST /v1/validate
Authorization: Bearer csa_...

{
  "framework": "iec-62304",
  "risk_class": "B",
  "change_type": "modification",
  "diff": "...",
  "context": "Patient monitor refresh rate per REQ-042"
}

Response

{
  "compliant": true,
  "findings": [],
  "risk_assessment": {
    "risk_class": "B",
    "required_artifacts": [
      "change_description",
      "test_evidence",
      "design_reference"
    ],
    "missing_artifacts": []
  },
  "validation_rationale": "...",
  "attestation": {
    "timestamp": "2026-05-06T...",
    "input_hash": "sha256:...",
    "framework_version": "iec-62304-2015",
    "engine_version": "1.0.0"
  },
  "rationale_status": "ready"
}

What validation actually costs you

Input your team's numbers. See what you're spending on validation today versus what VibeVal would cost.

Software changes per year requiring validation 50
10200
Risk class mix
Current validation approach
Consultant hourly rate
Average hours per validation 16
440
Current cost/yr
$180,000
VibeVal cost/yr
$75
Annual savings
$179,925
Time reclaimed
100 days

Default hours based on Validify (2024) and LearnGxP (GAMP/ISPE) estimates for risk-based validation timelines.

Pricing

Pay per check. No subscription, no quota expiration. The price scales with the rigor IEC 62304 requires for that risk class.

Class A
$0.50
Software that doesn't contribute to safety. Documentation check.
Class B
$2.00
Non-life-threatening injury possible. Design verification + test evidence.
Class C
$5.00
Death or serious injury possible. Formal verification + risk analysis required.

Buy credits in fixed packs, deduct as you go.

$20
40 Class A
$50
100 Class A
$100
200 Class A
$250
500 Class A
$500
1000 Class A

Who this is for

Quality Engineers and Validation Engineers shipping software in regulated environments. The API is built for the people who file 483-observation reports for a living.

The risk landscape

Software validation gaps don't stay internal. They surface as 483s, warning letters, and recalls.

20%+
of all medical device recalls are software-related
Source: Ketryx, 2023; IEEE Spectrum, 2025
47
FDA warning letters in FY2024, up 96% YoY
Source: Emergo by UL, 2024
$2.5–5B/yr
industry cost from quality failures
Source: McKinsey

Questions you'd ask before paying

Is this regulatory advice?

No. VibeVal is a tool that assists your validation process. The Quality Engineer remains responsible for the final assessment. The attestation hash is evidence of what you submitted and what the engine returned. It is not a guarantee of regulatory compliance.

Which frameworks are supported?

IEC 62304:2015 today. ISO 13485 software lifecycle requirements and 21 CFR 820.30 design controls are next. Tell us what's blocking your team and we'll prioritize it.

How do you decide a check passes or fails?

Deterministic structural rules. We check whether the submitted diff includes the artifacts IEC 62304 requires for the declared risk class — test files for Class B and C, traceability identifiers (REQ-, SRS-, DESIGN-), risk analysis references for Class C, formal verification evidence for Class C. The rules can be reviewed and contested. The LLM only generates the rationale text, never the verdict.

What happens to my code?

The diff is sent to the rule engine and the rationale generator. We do not store the diff content. We store an SHA-256 hash of the inputs and result, and a usage record (timestamp, risk class, status code) for billing.

Why pay per check instead of a subscription?

Because Quality Engineers can expense $20 of credits without procurement approval. Subscriptions need contracts. Per-use pricing also keeps the incentive aligned: we make money when you use the tool, not when you forget to cancel.

What if FDA's CSA guidance changes?

The rules engine and rationale generator are versioned. Every attestation records the engine version that ran. If guidance shifts, we update the engine and version-bump. Your historical attestations remain reproducible against the version they ran on.

Can I integrate this into CI/CD?

Yes. The API is HTTP. A GitHub Action wrapper is on the roadmap; for now a few lines of curl in your pipeline run a check on every PR. The async rationale endpoint lets you gate CI on the deterministic verdict and fetch the rationale separately for the audit trail.

How does this compare to Veeva, MasterControl, Greenlight Guru?

Those are quality management systems. They store documents, route signatures, and manage workflows. VibeVal validates a specific code change against IEC 62304 in seconds. The two are complementary. The attestation hash drops into your existing QMS as evidence.

Ship validated changes faster.

Sign up, get an API key, run your first check in under a minute.

Get started