SaMD Operations Toolkit
Regulatory artifacts that stay in sync
with the code
A toolkit for SaMD teams managing change control on shipped product. It generates IEC 62304 design controls, ISO 14971 hazard analyses, and SOUP registers from the codebase, then runs them through five specialist reviewers (regulatory, QA, safety, cybersecurity, clinical) before any of it reaches your eQMS.
What was weeks of chasing dev for context, scheduling reviewer sessions, and getting shallow drafts back becomes hours of detailed ones.
21
Skills
Builders, reverse-engineers, specialist reviewers, PM ops
6
Standards referenced
IEC 62304 · ISO 14971 · ISO 13485 · 21 CFR 820.30 · IEC 62366-1 · FDA Cybersecurity
22
Templates
Design controls, hazards, FMEA, SOUP, capability statements in XLSX, JSON, Markdown
Generate
Skills active
Prompt
natural language request
↓
Design Controls
requirements → specs → V&V
↓
Risk Management
hazard analysis + FMEA
↓
Artifact
XLSX · JSON · Markdown
Analyze
Codebase
point at your repo
↓
Code Analysis
SOUP · hazards · design inputs
↓
Review Panel
specialist reviewers in parallel
↓
Verdict
ACCEPTABLE · NEEDS REVISION
SKILLS · REVIEWERS
What each layer does
Builder Skills
The generators
PRD Writer SaMD
Design Controls
Risk Management
Change Impact
Design Review
FHIR Builder
Generate regulatory artifacts in XLSX, JSON, or Markdown, with full traceability IDs across the set
Reverse Engineering
The catch-up path
Code → SOUP
Code → Design Inputs
Code → Hazards
Scan your codebase to extract what you should have documented before you shipped
Specialist Reviewers
The red team
Regulatory
QA
Safety
Cybersecurity
Clinical
Each reviewer reads from a pinned standard and cites it. Same input, same verdict, run after run.
PM Skills
The day-to-day
PRD Writer
Metrics
Decision Doc
Status Update
Competitive
Roadmap
Standard PM artifacts: PRDs, metrics, decisions, status updates, competitive scans, roadmaps
When your artifacts get flagged, debug from the skill level
| Finding | Root Cause | Fix With |
|---|---|---|
| Missing traceability | Design inputs not linked to user needs or V&V | design-controls |
| SOUP gaps | Dependencies in lock file not in register | code-to-soup-register |
| Unmitigated hazards | Risk analysis only covers happy path | risk-management |
| Cyber gaps | No SBOM, no threat model, no CVD plan | cybersecurity-reviewer |
Why drafts, not final records? Every output is an uncontrolled draft. Your eQMS still holds the approved records. The toolkit accelerates authoring; your QMS owns the truth. The review-panel orchestrator dispatches an artifact to all reviewers in parallel, and the most conservative verdict wins. Compatible with any eQMS.
Submission-ready checklist — when DHF drafts are ready for eQMS
✓ Design controls trace requirements → specs → V&V
✓ SOUP register matches actual dependencies
✓ Risk analysis covers all identified hazards
✓ All reviewers return ACCEPTABLE verdicts
Getting Started — One Sprint
1 Clone the repo and open in Claude Code
→
2 Run /design-controls on your codebase
→
3 Traceability matrix draft in minutes
★
github.com/mc-barnes/samd-os is MIT licensed, open source, and self-hosted. Clone it, run /design-controls on your codebase, and see what comes back.