Cairn

Regulatory compiler for SaMD teams

Regulatory compiler for SaMD teams.

Cairn turns source artifacts, work-system snapshots, strategy, and regulatory constraints into typed, cited, replayable compliance signals.

Start with read-only audit evidence, then graduate to gated workflow assistance after source, security, and legal posture are approved.

Request read-only audit fit review See the compiler flow

Compiler spine

Source -> tests -> findings

Artifact versions, source bindings, provider snapshots, source maps, citations, and package manifests stay linked.

CI-for-compliance

Runs on product change

PRs, Jira changes, document updates, imports, and scheduled package checks can produce stable results and cited logs.

Write posture

Would-write first

External comments and tasks require trigger envelopes, deterministic validation, output records, idempotency, and replay.

Human floor

No AI approvals

AI can propose, draft, detect, explain, route, and prepare evidence; humans retain signatures and final dispositions.

How it works

From source mirror to reviewable evidence.

Cairn fits around the work systems your team already uses, then makes source freshness, traceability, package gaps, and human decisions visible.

Illustration of a regulatory pathway being mapped on a clipboard.
01 SCOPE

Define device strategy and source posture.

Map intended use, submission path, source systems, corpus boundaries, and what Cairn is allowed to mirror.

Read-only auditDe Novo510(k)SaMD Class II
Illustration of work systems connecting to a central source mirror.
02 MIRROR

Watch the systems where work already happens.

Cairn records artifact versions, external source bindings, provider snapshots, sync health, and stale-source warnings.

GitHubJiraGoogle DocsPDFs and spreadsheets
Illustration of compliance documents being assembled from source evidence.
03 COMPILE

Run compliance checks as product work changes.

The compiler evaluates catalog checks against mirrored evidence, strategy, and traceability endpoints.

Compliance testsTraceability linksCited findingsConflict detection
Illustration of a reviewed evidence package.
04 REVIEW

Route findings and package gaps to human owners.

Suggested updates, comments, and package sections move through explicit review queues before any controlled decision.

Review queuesConsultant rubricsWaiversEvidence packages
Illustration of a monitoring display with readiness signals.
05 OPERATE

Keep readiness visible without replacing your QMS.

Cairn shows freshness, changes, failures, approvals pending, and replay history while source systems remain authoritative.

Sync healthReplay artifactsAudit trailHuman authority

CI-for-compliance

Compliance checks should feel runnable.

Results cite source versions, mirror freshness, test definitions, and review posture so teams can rerun, waive, or route them with evidence.

Product surfaces

A governance view over the compliance signal layer.

Cairn does not need to become the authoring home for every artifact. It watches, compiles, routes, and records the evidence needed for regulated work.

Hybrid source mirror

Defensible mirrored state for GitHub, Jira, docs, uploads, and historical package exports, including freshness and provenance.

Compliance test catalog

Versioned deterministic, evidence-check, AI-judgment, and manual-review checks that users can inspect before trusting outputs.

Traceability graph

Candidate and confirmed links between requirements, risks, controls, tests, evidence, claims, and package sections.

Gated external outputs

Comments, draft tasks, and suggested document updates are prepared as would-writes with validation and replay records.

Human review queues

Quality, regulatory, consultant, and engineering owners keep final authority over approvals, releases, signatures, and risk.

Evidence packages

Cited, replayable package views for audits, consultant review, signoff preparation, and submission readiness discussion.

Security and regulatory trust

Human authority stays explicit.

Cairn can propose and prepare evidence, but controlled quality decisions remain bounded by human review, policy, permissions, and audit records.

Data posture

Production exports default to metadata, hashes, artifact IDs, and redacted excerpts.

Trace redaction events and evidence package manifests

Security

Support access requires approval, scoped sessions, and audit events.

Support access grants, sessions, and auth events

Source integrity

Every finding cites the source version, mirror freshness, and run context it depended on.

Source artifact versions, sync states, and compiler run artifacts

Regulatory authority

Catalog fixtures and AI judgments route to consultant or human review until formally approved.

Catalog version, rubric snapshots, and review queue events

Boundary Posture
Approvals, release, and signatures AI never signs, approves, releases, or closes controlled quality records.
External writes Would-writes require trigger envelopes, deterministic validation, output records, idempotency, and replay.
Final risk and submission decisions Humans retain final risk acceptance and final submission-required determinations.
Customer systems of record Cairn mirrors source systems and routes work back to them; it does not force day-one QMS replacement.

Pilot waitlist

Read-only audit first.

Pilot conversations start with corpus scope, security posture, source-of-truth boundaries, and read-only audit fit.

Request a fit review

SaMD founders, quality leaders, and regulatory consultants

Posts to /api/v1/waitlist. Stored as metadata_hash_redacted_excerpt; live delivery is false.