The FDA doesn't fail submissions for bad code. It fails them for missing evidence.
Engineering teams are building submission-ready devices. They are not building submission-ready evidence.
and
23% of organizations have end-to-end traceability from requirements to release. IEC 62304 and the FDA require it from all of them.
Of organizations have end-to-end traceability from requirements to release. Source: VDC Research / Siemens ALM/PLM Study.
Known vulnerabilities in Black Duck's knowledge base — with BDSA advisories up to 3 weeks ahead of NVD for critical component risk.
Of medical devices are now classified as FDA 'cyber devices' — requiring SBOM, postmarket surveillance plan, and secure development evidence in every submission.
Time to first SBOM from Black Duck integration — no pipeline rebuild. SPDX and CycloneDX output ready for FDA eSTAR submission immediately.
Sources: VDC Research ALM/PLM Study. FDA Section 524B. OSSRA 2026.
The gap is not development quality. It is the governed evidence chain the FDA and IEC 62304 auditors require.
- 01
Component intelligence across every source
Black Duck scans source code, binaries, containers, firmware, and AI-generated snippets — identifying every third-party component, version, license, vulnerability, and malware signal. Your IEC 62304 component inventory is generated, not manually assembled.
- 02
IEC 62304 traceability — maintained, not reconstructed
Polarion links system requirements → software requirements → architecture → unit tests → integration tests → release documentation. The traceability matrix is a byproduct of normal engineering activity. Not a pre-submission construction project.
- 03
SBOM generation for FDA eSTAR submission
Black Duck generates machine-readable SPDX and CycloneDX SBOMs aligned to NTIA minimum elements and FDA June 2025 guidance requirements. X-DLM™ version-controls and links each SBOM to the corresponding Polarion release record.
- 04
Change control through governed Polarion workflows
Every component change, vulnerability finding, or license conflict is routed into a Polarion work item with assigned owner, IEC 62304 Class mapping, risk acceptance documentation, and approval chain — producing the change control record the FDA expects.
See how Siemens Polarion and Black Duck become one governed software risk workflow.
X-DLM™ turns Black Duck software supply chain intelligence into Siemens Polarion work items, requirements links, approvals, escalation paths, and continuously maintained evidence.
Brand authority buyers recognize
Backed by Siemens lifecycle governance and Black Duck AppSec intelligence.
Siemens Polarion ALM
Polarion provides the lifecycle system of record for requirements, tests, approvals, traceability, workflow automation, audit evidence, and regulated software delivery.
Black Duck Software Composition Analysis
Black Duck identifies open source and third-party components across source, binaries, containers, firmware, snippets, AI-generated code, and C/C++ environments without package managers.
The most common engineering objections — answered
"We already have a list of our open-source components."
A list is not an SBOM. The FDA requires machine-readable SPDX or CycloneDX format with NTIA minimum elements, linked to vulnerability status and support windows. Black Duck generates it. X-DLM™ maintains it through every build.
"Our traceability is in Jira and Excel."
IEC 62304 requires a documented, controlled traceability matrix from requirements through architecture, code, tests, and release. Jira and Excel are not controlled systems of record for Class B and C medical device software. Polarion is.
From component inventory to FDA submission-ready SBOM.
Without a pre-submission sprint.
See how X-DLM™ integrates Black Duck and Siemens Polarion to automate IEC 62304 component governance, FDA 524B SBOM generation, requirements-to-release traceability, and postmarket vulnerability evidence — in a technical walkthrough built for medical device engineering teams.