Catch the incomplete package before your reviewer does.

Submit a code diff, pick a risk class, and VibeVal screens the change for the artifacts IEC 62304 expects — test evidence, traceability, risk analysis — then drafts a CSA-style rationale and stamps a SHA-256 attestation of the screen. Your Quality Engineer still makes the call. They just stop burning review cycles on packages that were never ready.

The CSV tax

FDA finalized CSA guidance in September 2025. Risk-based critical thinking replaces script-heavy documentation. The old tooling doesn't fit the new framework, and the new framework has no tooling. That's the gap.

1–1.5x
validation cost on top of implementation
Source: Axendia / MedTech Intelligence, 2018
25%
of project cost goes to documentation alone
Source: LearnGxP (GAMP/ISPE)
$150–500/hr
consultant rates for validation support
Source: MedEnvoy, 2024
Only 14%
of professionals strongly understand CSA
Source: ISPE, Sept 2024

Still 0 purpose-built CSA tools on the market. VibeVal is the first piece of that tooling: not automated judgment — a readiness screen that makes the human judgment cheaper.

How it works

One API call. A deterministic rule engine screens the package, an AI drafts the rationale, and a tamper-evident hash records the screen. The compliance verdict stays with your reviewer.

Step 1

Submit the diff

POST your code change with the IEC 62304 risk class (A, B, or C) and a short context.

Step 2

Rules screen the package

Deterministic rules check the diff for the artifacts IEC 62304 expects at that risk class — tests, traceability IDs, risk analysis, formal verification. No AI in the verdict.

Step 3

A rationale draft comes back

A CSA-style critical-thinking draft against IEC 62304 §5.5–5.7 — written to be edited and owned by your reviewer, not filed as-is.

Step 4

The screen gets attested

A SHA-256 attestation records what was screened, when, and by which engine version. File it alongside your reviewer's assessment in the Design History File.

What you send and what you get

Real shape of the API. Submit on the left, response on the right. compliant means no required artifact is missing for the declared risk class — an artifact-completeness verdict, not a regulatory determination.

Request

POST /v1/validate
Authorization: Bearer csa_...

{
  "framework": "iec-62304",
  "risk_class": "B",
  "change_type": "modification",
  "diff": "...",
  "context": "Patient monitor refresh rate per REQ-042"
}

Response

{
  "compliant": true,
  "findings": [],
  "risk_assessment": {
    "risk_class": "B",
    "required_artifacts": [
      "change_description",
      "test_evidence",
      "design_reference"
    ],
    "missing_artifacts": []
  },
  "validation_rationale": "...",
  "attestation": {
    "timestamp": "2026-05-06T...",
    "input_hash": "sha256:...",
    "framework_version": "iec-62304-2015",
    "engine_version": "1.0.0"
  },
  "rationale_status": "ready"
}

What an incomplete package costs you

The expensive part of validation isn't the first review — it's the rework loop when a package reaches your reviewer missing test evidence or traceability. Put your team's numbers in.

Software changes per year requiring validation 50
10200
Risk class mix
Packages bounced back for missing artifacts 30%
10%60%
Who does the review
Consultant hourly rate
Hours lost per bounced package 6
116
Rework cost/yr
$20,250
VibeVal cost/yr
$63
Potential savings
$20,188
Review cycles saved
15 cycles

Bounce rate and rework hours are your estimates — adjust them to your team's first-pass yield. VibeVal cost assumes every change is screened at list price ($0.50 A, $2 B, $5 C); mixed classes assume a 50/50 blend. Internal team assumes $100/hr fully loaded. Screening flags missing artifacts before review — it does not replace the review itself.

Pricing

Pay per screen. No subscription, no quota expiration. The price scales with the artifact rigor IEC 62304 expects at that risk class.

Class A
$0.50
Software that doesn't contribute to safety. Screens for documentation completeness.
Class B
$2.00
Non-life-threatening injury possible. Screens for design references + test evidence.
Class C
$5.00
Death or serious injury possible. Screens for risk analysis + formal verification evidence.

Buy credits in fixed packs. Credits are dollars — each check deducts its list price.

$20
40 A or 10 B or 4 C
$50
100 A or 25 B or 10 C
$100
200 A or 50 B or 20 C
$250
500 A or 125 B or 50 C
$500
1000 A or 250 B or 100 C

Who this is for

Quality Engineers and Validation Engineers shipping software in regulated environments. VibeVal does the completeness pass so their review time goes to judgment, not checklist-chasing.

The risk landscape

Software validation gaps don't stay internal. They surface as 483s, warning letters, and recalls.

20%+
of all medical device recalls are software-related
Source: Ketryx, 2023; IEEE Spectrum, 2025
47
FDA warning letters in FY2024, up 96% YoY
Source: Emergo by UL, 2024
$2.5–5B/yr
industry cost from quality failures
Source: McKinsey

Questions you'd ask before paying

Does VibeVal validate my software for me?

No — and be suspicious of any tool that claims to. Validation under CSA is a human critical-thinking exercise, and it stays that way. VibeVal screens a change package for the artifacts that exercise needs, drafts the rationale your reviewer edits and owns, and attests what was screened. It makes the human judgment faster and better-fed. It does not replace it.

Is this regulatory advice?

No. VibeVal is a screening tool that assists your validation process. The Quality Engineer remains responsible for the final assessment. The attestation hash is evidence of what you submitted and what the engine returned. It is not a guarantee of regulatory compliance.

Which frameworks are supported?

IEC 62304:2015 today. ISO 13485 software lifecycle requirements and 21 CFR 820.30 design controls are next. Tell us what's blocking your team and we'll prioritize it.

How do you decide a check passes or fails?

Deterministic structural rules. We check whether the submitted diff includes the artifacts IEC 62304 requires for the declared risk class — test files for Class B and C, traceability identifiers (REQ-, SRS-, DESIGN-), risk analysis references for Class C, formal verification evidence for Class C. The rules can be reviewed and contested. The LLM only generates the rationale text, never the verdict.

Can a package pass the screen and still fail review?

Yes. The screen checks that the required artifacts are present, not that they're good. A test file can exist and still be inadequate; a traceability ID can be cited and still be wrong. That's exactly the judgment your reviewer is for — the screen just guarantees they never spend a cycle discovering an artifact is missing entirely.

What happens to my code?

The diff is sent to the rule engine and the rationale generator. We do not store the diff content. We store an SHA-256 hash of the inputs and result, and a usage record (timestamp, risk class, status code) for billing.

Why pay per check instead of a subscription?

Because Quality Engineers can expense $20 of credits without procurement approval. Subscriptions need contracts. Per-use pricing also keeps the incentive aligned: we make money when you use the tool, not when you forget to cancel.

What if FDA's CSA guidance changes?

The rules engine and rationale generator are versioned. Every attestation records the engine version that ran. If guidance shifts, we update the engine and version-bump. Your historical attestations remain reproducible against the version they ran on.

Can I integrate this into CI/CD?

Yes. The API is HTTP. A GitHub Action wrapper is on the roadmap; for now a few lines of curl in your pipeline run a check on every PR. The async rationale endpoint lets you gate CI on the deterministic verdict and fetch the rationale separately for the audit trail.

How does this compare to Veeva, MasterControl, Greenlight Guru?

Those are quality management systems. They store documents, route signatures, and manage workflows. VibeVal screens a specific code change against IEC 62304's artifact requirements in seconds. The two are complementary. The attestation hash drops into your existing QMS as evidence of the screen.

Send your reviewer complete packages.

Sign up, get an API key, screen your first change in under a minute.

Get started