Connected medical-device manufacturers ship firmware that lives inside patients and inside hospitals for a decade. FDA SaMD, MDR, IVDR, IEC 62304, and 81001-5-1 turn every firmware release into a regulator-readable evidence artefact. Safeguard makes that evidence a signed pipeline output, not a year-long submission project.
Premarket SBOM, EU device regs, decade-long patch obligations, and PSIRT — all hitting one firmware team.
Premarket submissions now require a complete, signed SBOM for the exact firmware that ships on the device. The reviewer expects machine-readable CycloneDX or SPDX — not a spreadsheet attached to the cover letter.
EU 2017/745 and 2017/746 push cybersecurity from a recommendation into a marketing-authorisation prerequisite. Notified bodies are reading the SBOM, the threat model, and the vulnerability-handling SOP before they sign.
Connected devices stay in clinical use for a decade or more. Long after the original team has moved on, somebody has to be able to prove which transitive dependency is in field firmware version 3.1.7 — and patch it.
Coordinated disclosure programs, FDA-mandated patch communications, and customer-hospital security teams all demand a CVE-to-patch story within tight SLAs. PSIRT is not a side function any more.
Every firmware build emits a signed CycloneDX SBOM pinned to the binary that flashed to the device. Provenance and attestation travel with the artefact through the regulator, the notified body, and the hospital security review.
Most CVEs in an RTOS or Bluetooth stack are not actually reachable from the device's threat boundary. Reachability turns a 1,900-row alert list into a defendable, ranked worklist for the embedded team.
Firmware that shipped seven years ago still needs an evidence trail. Safeguard retains the signed SBOM, VEX, and policy verdicts for the full service life — queryable on the day the regulator or hospital asks.
PSIRT intake, triage, advisory drafting, and customer notification run on a single pipeline. CVE entries are linked to the affected firmware, the patch commit, and the field-update plan — no parallel spreadsheets.
Pre-mapped control narratives and evidence in the formats FDA reviewers and EU notified bodies already accept.
Firmware CI signing pipeline, PSIRT-managed disclosure, multi-site evidence retention, and a regulator-ready trust packet.
Firmware build farms emit a signed CycloneDX SBOM per binary, bound to the toolchain hash and the source commit. Reproducible builds, deterministic outputs.
Every release artefact carries an in-toto attestation and sigstore signature. The premarket package and the EU technical file pull from the same evidence store.
Coordinated-disclosure intake, triage, and advisory drafting are linked to the SBOM and the firmware. Customer hospital security teams receive a machine-readable VEX, not a PDF.
SBOM, VEX, policy decisions, and disclosure history are retained for the full service life of the device. Queryable on day three thousand, not just on day thirty.
RTOS kernels, BLE stacks, and TLS libraries deep inside the firmware carry a long CVE tail. Most are unreachable in the device threat model — but the regulator still wants to see the analysis.
Diagnostic and imaging models that run on-device need signed weights, lineage, and drift monitoring. A silently corrupted model is a patient-safety event, not a software bug.
The wireless surface is the most exposed part of a connected device. A new CVE in a baseband or BLE pairing routine can put an entire installed base into the disclosure clock at once.
Open-source maintainers move on; commercial suppliers EOL components. Long-tail devices outlive their dependencies, and the manufacturer has to find the path forward — often before the regulator notices.
Numbers from production deployments. Same regulator, same device, dramatically less submission overhead.
| Metric | Before Safeguard | With Safeguard |
|---|---|---|
| FDA premarket SBOM prep | 3 weeks | 30 minutes |
| Field-patch reachability filter | 70% noise | 5% noise |
| PSIRT-disclosure response | 14 days | 24 hours |
| Ten-year evidence retention | Manual | Automated |
| Tool consolidation | 5 vendors | 1 |
| Alert volume per firmware / month | ~1,900 | ~190 |
| Recall risk identification | Weeks | Hours |
Talk to the team about FDA SaMD evidence pipelines, MDR / IVDR technical files, and a PSIRT shape that runs for the full service life of the device.