That's not quite how it works with the FDA. One thing you have to be able to do is demonstrate reproducibility - so an exec + toolchain is easier, but there is no reason that you couldn't in principal do the same thing with source + toolchain + test. There is more to it, of course.

More importantly though, there isn't such a thing as "certification". You can go through a PMA or 510(k) to get "approval to market" for a restricted set of claims based on your filing, leading to "indications for use". This wouldn't really apply to an open source project unless someone were selling it an making claims on how it could be applied.

In the US, clinicians would have fairly broad power to use a product "off label" if they chose, and the FDA doesn't control anything around what you might choose to use on yourself.

Just to extend off the other replies, the license might also be a factor. GPLv3 has an anti-TiVo, "you must let your users apply their changes to hardware" clause. FDA might consider that too risky.

The anti-TiVo clause has some major exception since it is designed to address a very specific scenario; One where the the owner can update the device but only through the approval of the device manufacturer through signed updates.

That create two cases where GPL have no issue with DRM. The first case is when no one can update the device because there is no update mechanism.

The second case is when there is DRM, and the device can be updated, and the manufacturer give the owner the power to inject their own keys. Again this is allowed.

FDA should have no issue with the first case. It may have a issue with the second case if the update allows for changes which impact the medical safety of the device (but not technological security, as there is an exception for that by the fda).

It’s about auditing. Requiring an executable binary means they can pickup any device off any shelf in any store and verify the binary is the same as the one they approved.