Release Management
Purpose
Define controlled release process for medical device software: versioning, branching, verification, approvals, documentation, and post-release monitoring.
When to Apply
- •Preparing any software release or field update.
Requirements (testable)
- •Versioning: Use semantic and/or regulated versioning; tie to configuration baselines; record in release notes. Rationale: traceability.
- •Branch Strategy: Maintain protected release branches; gate merges with tests/approvals; tag releases. Rationale: control and reproducibility.
- •Verification: Ensure required tests (unit/integration/HIL), coverage, SAST/DAST, and security scans pass for the release build. Rationale: assurance.
- •Approvals: Obtain required QA/RA and security approvals; document sign-offs. Rationale: governance.
- •Artifacts: Store signed binaries, SBOM, test reports, coverage, and trace matrices; include checksums. Rationale: auditability and integrity.
- •Post-Release: Monitor field metrics, incidents, and vulnerabilities; feed into PMS/risk files; patch policy defined. Rationale: lifecycle safety.
Recommended Practices
- •Maintain a release checklist template.
- •Generate human-readable and machine-readable release manifests.
- •Align release cadence with regulatory submission plans when applicable.
- •Include rollback plan for field updates.
Patterns
Release manifest (YAML):
yaml
version: 1.3.0 git_tag: v1.3.0 artifacts: - fw.bin - fw.bin.sig - sbom.json checksums: fw.bin: sha256:... approvals: qa: alice ra: bob tests: [unit.xml, integ.xml, hil.xml]
Release checklist (excerpt):
code
- [ ] Tests/coverage meet thresholds - [ ] SAST/DAST clean or issues accepted with rationale - [ ] SBOM generated and stored - [ ] Approvals recorded - [ ] Rollback plan documented
Anti-Patterns (risks)
- •Ad-hoc releases without baselines/tags -> risk: irreproducible builds.
- •Missing approvals -> risk: compliance gap.
- •Shipping without security/verification checks -> risk: defects in field.
- •No rollback plan -> risk: prolonged outage/safety impact.
Verification Checklist
- • Version/tag assigned; branch protected; reproducible build recorded.
- • Required verification passed; SAST/DAST/coverage within thresholds.
- • Approvals captured (QA/RA/security).
- • Artifacts signed, checksummed, SBOM and trace matrices stored.
- • Post-release monitoring plan in place; rollback plan defined.
Traceability
- •Link release tag to build metadata, change requests, test reports, SBOM, and approvals; store manifest with artifacts.
References
- •IEC 62304 config/release expectations.
- •FDA/MDR submission documentation for software versions.
- •SLSA concepts for provenance (informative).
Changelog
- •1.0.0 (2026-01-04): Initial release management skill with branching, verification, approvals, and monitoring.
Audit History
- •2026-01-04: Audit performed. Verified:
- •IEC 62304 config/release expectations correctly referenced
- •FDA/MDR submission documentation requirements appropriately noted
- •SLSA concepts correctly marked as informative