Skills
skills/borghei/claude-skills/quality-manager-qms-iso13485

quality-manager-qms-iso13485

Originally fromalirezarezvani/claude-skills
SKILL.md

Quality Manager - QMS ISO 13485 Specialist

ISO 13485:2016 Quality Management System implementation, maintenance, and certification support for medical device organizations.

Table of Contents

QMS Implementation Workflow

Implement ISO 13485:2016 compliant quality management system from gap analysis through certification.

Workflow: Initial QMS Implementation

  1. Conduct gap analysis against ISO 13485:2016 requirements
  2. Document current state vs. required state for each clause
  3. Prioritize gaps by:
    • Regulatory criticality
    • Risk to product safety
    • Resource requirements
  4. Develop implementation roadmap with milestones
  5. Establish Quality Manual per Clause 4.2.2:
    • QMS scope with justified exclusions
    • Process interactions
    • Procedure references
  6. Create required documented procedures:
    • Document control (4.2.3)
    • Record control (4.2.4)
    • Internal audit (8.2.4)
    • Nonconforming product (8.3)
    • Corrective action (8.5.2)
    • Preventive action (8.5.3)
  7. Deploy processes with training
  8. Validation: Gap analysis complete; Quality Manual approved; all required procedures documented and trained

Gap Analysis Matrix

Clause Requirement Current State Gap Priority Action
4.2.2 Quality Manual Not documented Major High Create QM
4.2.3 Document control Informal Moderate High Formalize SOP
5.6 Management review Ad hoc Major High Establish schedule
7.3 Design control Partial Moderate Medium Complete procedures
8.2.4 Internal audit None Major High Create program

QMS Structure

Level Document Type Purpose Example
1 Quality Manual QMS overview, policy QM-001
2 Procedures How processes work SOP-02-001
3 Work Instructions Task-level detail WI-06-012
4 Records Evidence of conformity Training records

Required Procedure List

Clause Procedure Minimum Content
4.2.3 Document Control Approval, review, distribution, obsolete control
4.2.4 Record Control Identification, storage, retention, disposal
8.2.4 Internal Audit Program, auditor qualification, reporting
8.3 Nonconforming Product Identification, segregation, disposition
8.5.2 Corrective Action Investigation, root cause, effectiveness
8.5.3 Preventive Action Risk identification, implementation, verification

Document Control Workflow

Establish and maintain document control per ISO 13485 Clause 4.2.3.

Workflow: Document Creation and Approval

  1. Identify need for new document or revision
  2. Assign document number per numbering convention:
    • Format: [TYPE]-[AREA]-[SEQUENCE]-[REV]
    • Example: SOP-02-001-01
  3. Draft document using approved template
  4. Route for review to subject matter experts
  5. Collect and address review comments
  6. Obtain required approvals based on document type
  7. Update Document Master List
  8. Validation: Document numbered correctly; all reviewers signed; Master List updated

Document Numbering Convention

Prefix Document Type Approval Authority
QM Quality Manual Management Rep + CEO
POL Policy Department Head + QA
SOP Procedure Process Owner + QA
WI Work Instruction Supervisor + QA
TF Template/Form Process Owner
SPEC Specification Engineering + QA

Area Codes

Code Area Examples
01 Quality Management Quality Manual, policy
02 Document Control This procedure
03 Training Competency procedures
04 Design Design control
05 Purchasing Supplier management
06 Production Manufacturing
07 Quality Control Inspection, testing
08 CAPA Corrective actions

Document Change Control

Change Type Approval Level Examples
Administrative Document Control Typos, formatting
Minor Process Owner + QA Clarifications
Major Full review cycle Process changes
Emergency Expedited + retrospective Safety issues

Document Review Schedule

Document Type Review Period Trigger for Unscheduled Review
Quality Manual Annual Organizational change
Procedures Annual Audit finding, regulation change
Work Instructions 2 years Process change
Forms 2 years User feedback

Internal Audit Workflow

Plan and execute internal audits per ISO 13485 Clause 8.2.4.

Workflow: Annual Audit Program

  1. Identify processes and areas requiring audit coverage
  2. Assess risk factors for audit frequency:
    • Previous audit findings
    • Regulatory changes
    • Process changes
    • Complaint trends
  3. Assign qualified auditors (independent of area audited)
  4. Develop annual audit schedule
  5. Obtain management approval
  6. Communicate schedule to process owners
  7. Track completion and reschedule as needed
  8. Validation: All processes covered; auditors qualified and independent; schedule approved

Workflow: Individual Audit Execution

  1. Prepare audit plan with scope, criteria, and schedule
  2. Notify auditee minimum 1 week prior
  3. Review procedures and previous audit results
  4. Prepare audit checklist
  5. Conduct opening meeting
  6. Collect evidence through:
    • Document review
    • Record sampling
    • Process observation
    • Personnel interviews
  7. Classify findings:
    • Major NC: Absence or breakdown of system
    • Minor NC: Single lapse or deviation
    • Observation: Risk of future NC
  8. Conduct closing meeting
  9. Issue audit report within 5 business days
  10. Validation: All checklist items addressed; findings supported by evidence; report distributed

Audit Program Template

Audit # Process Clauses Q1 Q2 Q3 Q4 Auditor
IA-001 Document Control 4.2.3, 4.2.4 X [Name]
IA-002 Management Review 5.6 X [Name]
IA-003 Design Control 7.3 X [Name]
IA-004 Production 7.5 X [Name]
IA-005 CAPA 8.5.2, 8.5.3 X [Name]

Auditor Qualification Requirements

Criterion Requirement
Training ISO 13485 awareness + auditor training
Experience Minimum 1 audit as observer
Independence Not auditing own work area
Competence Understanding of audited process

Finding Classification Guide

Classification Criteria Response Time
Major NC System absence, total breakdown, regulatory violation 30 days for CAPA
Minor NC Single instance, partial compliance 60 days for CAPA
Observation Potential risk, improvement opportunity Track in next audit

Process Validation Workflow

Validate special processes per ISO 13485 Clause 7.5.6.

Workflow: Process Validation Protocol

  1. Identify processes requiring validation:
    • Output cannot be verified by inspection
    • Deficiencies appear only in use
    • Sterilization, welding, sealing, software
  2. Form validation team with subject matter experts
  3. Write validation protocol including:
    • Process description and parameters
    • Equipment and materials
    • Acceptance criteria
    • Statistical approach
  4. Execute Installation Qualification (IQ):
    • Verify equipment installed correctly
    • Document equipment specifications
  5. Execute Operational Qualification (OQ):
    • Test parameter ranges
    • Verify process control
  6. Execute Performance Qualification (PQ):
    • Run production conditions
    • Verify output meets requirements
  7. Write validation report with conclusions
  8. Validation: IQ/OQ/PQ complete; acceptance criteria met; validation report approved

Validation Documentation Requirements

Phase Content Evidence
Protocol Objectives, methods, criteria Approved protocol
IQ Equipment verification Installation records
OQ Parameter verification Test results
PQ Performance verification Production data
Report Summary, conclusions Approval signatures

Revalidation Triggers

Trigger Action Required
Equipment change Assess impact, revalidate affected phases
Parameter change OQ and PQ minimum
Material change Assess impact, PQ minimum
Process failure Full revalidation
Periodic Per validation schedule (typically 3 years)

Special Process Examples

Process Validation Standard Critical Parameters
EO Sterilization ISO 11135 Temperature, humidity, EO concentration, time
Steam Sterilization ISO 17665 Temperature, pressure, time
Radiation Sterilization ISO 11137 Dose, dose uniformity
Sealing Internal Temperature, pressure, dwell time
Welding ISO 11607 Heat, pressure, speed

Supplier Qualification Workflow

Evaluate and approve suppliers per ISO 13485 Clause 7.4.

Workflow: New Supplier Qualification

  1. Identify supplier category:
    • Category A: Critical (affects safety/performance)
    • Category B: Major (affects quality)
    • Category C: Minor (indirect impact)
  2. Request supplier information:
    • Quality certifications
    • Product specifications
    • Quality history
  3. Evaluate supplier based on:
    • Quality system (ISO certification)
    • Technical capability
    • Quality history
    • Financial stability
  4. For Category A suppliers:
    • Conduct on-site audit
    • Require quality agreement
  5. Calculate qualification score
  6. Make approval decision:

    • 80: Approved

    • 60-80: Conditional approval
    • <60: Not approved
  7. Add to Approved Supplier List
  8. Validation: Evaluation criteria scored; qualification records complete; supplier categorized

Supplier Evaluation Criteria

Criterion Weight Scoring
Quality System 30% ISO 13485=30, ISO 9001=20, Documented=10, None=0
Quality History 25% Reject rate: <1%=25, 1-3%=15, >3%=0
Delivery 20% On-time: >95%=20, 90-95%=10, <90%=0
Technical Capability 15% Exceeds=15, Meets=10, Marginal=5
Financial Stability 10% Strong=10, Adequate=5, Questionable=0

Supplier Category Requirements

Category Qualification Monitoring Agreement
A - Critical On-site audit Annual review Quality agreement
B - Major Questionnaire Semi-annual review Quality requirements
C - Minor Assessment Issue-based Standard terms

Supplier Performance Metrics

Metric Target Calculation
Accept Rate >98% (Accepted lots / Total lots) × 100
On-Time Delivery >95% (On-time / Total orders) × 100
Response Time <5 days Average days to resolve issues
Documentation 100% (Complete CoCs / Required CoCs) × 100

QMS Process Reference

ISO 13485 Clause Structure

Clause Title Key Requirements
4.1 General Requirements Process identification, interaction, outsourcing
4.2 Documentation Quality Manual, procedures, records
5.1-5.5 Management Responsibility Commitment, policy, objectives, organization
5.6 Management Review Inputs, outputs, records
6.1-6.4 Resource Management Personnel, infrastructure, environment
7.1 Product Realization Planning Quality plan, risk management
7.2 Customer Requirements Determination, review, communication
7.3 Design and Development Planning, inputs, outputs, review, V&V, transfer, changes
7.4 Purchasing Supplier control, purchasing info, verification
7.5 Production Control, cleanliness, validation, identification, traceability
7.6 Monitoring Equipment Calibration, control
8.1 Measurement Planning Monitoring and analysis planning
8.2 Monitoring Feedback, complaints, reporting, audits, process, product
8.3 Nonconforming Product Control, disposition
8.4 Data Analysis Trend analysis
8.5 Improvement CAPA

Management Review Required Inputs (Clause 5.6.2)

Input Source Prepared By
Audit results Internal and external audits QA Manager
Customer feedback Complaints, surveys Customer Quality
Process performance Process metrics Process Owners
Product conformity Inspection data, NCs QC Manager
CAPA status CAPA system CAPA Officer
Previous actions Prior review records QMR
Changes affecting QMS Regulatory, organizational RA Manager
Recommendations All sources All Managers

Record Retention Requirements

Record Type Minimum Retention Regulatory Basis
Device Master Record Life of device + 2 years 21 CFR 820.181
Device History Record Life of device + 2 years 21 CFR 820.184
Design History File Life of device + 2 years 21 CFR 820.30
Complaint Records Life of device + 2 years 21 CFR 820.198
Training Records Employment + 3 years Best practice
Audit Records 7 years Best practice
CAPA Records 7 years Best practice
Calibration Records Equipment life + 2 years Best practice

Decision Frameworks

Exclusion Justification (Clause 4.2.2)

Clause Permissible Exclusion Justification Required
6.4.2 Contamination control Product not affected by contamination
7.3 Design and development Organization does not design products
7.5.2 Product cleanliness No cleanliness requirements
7.5.3 Installation No installation activities
7.5.4 Servicing No servicing activities
7.5.5 Sterile products No sterile products

Nonconformity Disposition Decision Tree

Nonconforming Product Identified
    Can it be reworked?
       Yes──┴──No
        │       │
        ▼       ▼
    Is rework     Can it be used
    procedure     as is?
    available?        │
        │        Yes──┴──No
    Yes─┴─No     │       │
     │    │     ▼       ▼
     ▼    ▼  Concession  Scrap or
  Rework  Create    approval    return to
  per SOP  rework    needed?    supplier
          procedure     │
                    Yes─┴─No
                     │    │
                     ▼    ▼
                 Customer  Use as is
                 approval  with MRB
                          approval

CAPA Initiation Criteria

Source Automatic CAPA Evaluate for CAPA
Customer complaint Safety-related All others
External audit Major NC Minor NC
Internal audit Major NC Repeat minor NC
Product NC Field failure Trend exceeds threshold
Process deviation Safety impact Repeated deviations

Tools and References

Scripts

Tool Purpose Usage
qms_audit_checklist.py Generate audit checklists by clause or process python qms_audit_checklist.py --help

Audit Checklist Generator Features:

  • Generate clause-specific checklists (e.g., --clause 7.3)
  • Generate process-based checklists (e.g., --process design-control)
  • Full system audit checklist (--audit-type system)
  • Text or JSON output formats
  • Interactive mode for guided selection

References

Document Content
iso13485-clause-requirements.md Detailed requirements for each ISO 13485:2016 clause with audit questions
qms-process-templates.md Ready-to-use templates for document control, audit, CAPA, supplier, training

Quick Reference: Mandatory Documented Procedures

Procedure Clause Key Elements
Document Control 4.2.3 Approval, distribution, obsolete control
Record Control 4.2.4 Identification, retention, disposal
Internal Audit 8.2.4 Program, auditor qualification, reporting
NC Product Control 8.3 Identification, segregation, disposition
Corrective Action 8.5.2 Root cause, implementation, verification
Preventive Action 8.5.3 Risk identification, implementation

Related Skills

Skill Integration Point
quality-manager-qmr Management review, quality policy
capa-officer CAPA system management
qms-audit-expert Advanced audit techniques
quality-documentation-manager DHF, DMR, DHR management
risk-management-specialist ISO 14971 integration

ISO 13485:2016 Alignment with FDA QMSR

QMSR Transition Impact on ISO 13485 QMS

With the FDA's QMSR (effective February 2, 2026) incorporating ISO 13485:2016 by reference, organizations already ISO 13485 certified gain significant advantages:

Area Pre-QMSR (Dual System) Post-QMSR (Unified)
Quality Manual Separate FDA QSR and ISO 13485 references Single Quality Manual referencing ISO 13485
Design controls 820.30 + ISO 13485 Clause 7.3 (mapped) ISO 13485 Clause 7.3 (primary)
CAPA 820.100 + ISO 13485 Clause 8.5 ISO 13485 Clause 8.5 (primary)
Document control 820.40 + ISO 13485 Clause 4.2 ISO 13485 Clause 4.2 (primary)
Purchasing 820.50 + ISO 13485 Clause 7.4 ISO 13485 Clause 7.4 (primary)
Audits Separate FDA and ISO audit tracks Single audit satisfying both

FDA-Retained Requirements Beyond ISO 13485

Even under QMSR, certain FDA-specific requirements remain. The QMS must address:

FDA Requirement CFR Reference ISO 13485 Gap Action
Complaint handling (medical device reports) 21 CFR 820.198 Clause 8.2.2 covers complaints but not FDA MDR reporting specifics Add FDA MDR reporting procedure to complaint handling SOP
Corrections and removals 21 CFR 806 No direct equivalent Maintain separate procedure for FDA reporting of corrections/removals
Unique Device Identification 21 CFR 830 No UDI clause in ISO 13485 Add UDI procedures to labeling/identification processes
Electronic records and signatures 21 CFR Part 11 No electronic signature requirements Implement Part 11 compliance for electronic QMS

QMSR Gap Analysis Checklist

  • Map all existing QSR SOPs to ISO 13485 clause numbers
  • Identify FDA-retained requirements not covered by ISO 13485
  • Update Quality Manual scope and references
  • Retrain staff on ISO 13485 terminology (e.g., "design output" terminology alignment)
  • Update supplier quality agreements to reference QMSR
  • Revise internal audit checklist to combined ISO 13485 + FDA requirements
  • Verify complaint handling addresses both ISO 13485 Clause 8.2.2 and 21 CFR 820.198
  • Conduct mock audit against QMSR requirements

Digital QMS Implementation

Electronic Document Management System (eDMS) Requirements

Requirement Implementation Regulatory Basis
Document version control Automatic versioning with audit trail ISO 13485 Clause 4.2.3
Electronic approval workflows Role-based approval routing with e-signatures 21 CFR Part 11, Annex 11
Access controls Role-based permissions, segregation of duties ISO 13485 Clause 4.2.3(c)
Audit trail Immutable record of all changes with timestamp, user, reason 21 CFR Part 11 §11.10(e)
Backup and recovery Regular backups with tested restore procedures ISO 13485 Clause 4.2.4
Training records integration Link document access to training completion ISO 13485 Clause 6.2
Obsolete document control Automatic removal from use with archival ISO 13485 Clause 4.2.3(e)

Electronic Signatures

Signature Type Use Case Technical Requirement
Electronic signature Document approval, batch release, CAPA closure Linked to individual, date/time stamped, meaning included
Digital signature High-assurance: design reviews, regulatory submissions PKI-based, certificate authority, tamper-evident
Biometric signature Optional for high-security processes Fingerprint or similar biometric linked to identity

Audit Trail Requirements

Element Description Example
Who User identity (not shared accounts) jane.smith@company.com
What Action performed "Approved SOP-02-001 Rev 3"
When Date and time (UTC or with timezone) 2026-03-09T14:30:00Z
Why Reason for change (required for modifications) "Updated per CAPA-2026-003 findings"
Previous value Old content (for modifications) Automatic diff/version comparison

Cross-Reference: 21 CFR Part 11 / Annex 11

21 CFR Part 11 Requirements for Electronic Records

Requirement Section QMS Implementation
Validation §11.10(a) Validate eQMS software per GAMP 5 methodology
Audit trail §11.10(e) Computer-generated, timestamped, immutable audit trail
System access controls §11.10(d) Unique user IDs, passwords, role-based access
Authority checks §11.10(g) Only authorized individuals can use specific functions
Device checks §11.10(h) Verify source of data input
Personnel qualification §11.10(i) Training on system use and Part 11 requirements
Electronic signatures §11.50, §11.100 Unique to individual, not reusable, linked to records
Open vs. closed systems §11.30 vs. §11.10 Determine system type; open systems need encryption

Annex 11 (EU GMP) Requirements

Requirement Section QMS Implementation
Risk management §1 Apply risk-based approach to computerized system validation
Personnel §2 Designated system owner and trained users
Supplier assessment §3 Assess eQMS vendor quality and compliance capability
Validation §4-5 IQ/OQ/PQ for eQMS, validation plan and report
Data §6-9 Data integrity, accuracy checks, data storage
Printouts §8 Ability to generate clear, legible copies of electronic records
Audit trail §9 Record of all GMP-relevant changes
Change and configuration management §10-11 Controlled change process for system modifications
Security §12 Physical and logical security controls
Incident management §13 Procedure for reporting and managing system incidents
Electronic signatures §14 Equivalent legal standing to handwritten signatures
Batch release §15 Electronic batch release with appropriate controls
Business continuity §16 Contingency procedures for system unavailability
Archiving §17 Long-term accessibility and readability of archived data

Remote Audit Considerations (Post-COVID)

Remote Audit Methodology

Audit Element On-Site Approach Remote Equivalent
Document review Physical review of controlled copies Screen-sharing of eDMS, live navigation
Record sampling Pull physical records from files Live database queries via screen-share
Process observation Walk the production floor Live video tour, camera-equipped devices
Personnel interviews Face-to-face Video conference with individual sessions
Equipment verification Physical inspection Live video with zoom capability
Evidence collection Photocopies, photographs Screenshots, screen recordings, exported PDFs

Remote Audit Best Practices

Practice Description
Pre-audit documentation Share document packages 2 weeks before audit via secure portal
Technology testing Test video conferencing, screen-sharing, and secure file transfer before audit
Audit plan adaptation Allow 20-30% more time for remote activities vs. on-site
Secure communication Use encrypted channels for all audit communications and evidence transfer
Real-time evidence Prefer live demonstrations over pre-recorded material
Breakout rooms Use separate video sessions for confidential interviews
Audit trail of the audit Record audit sessions (with agreement) for reference

Hybrid Audit Model

Activity Recommended Mode Rationale
Opening/closing meetings Remote Efficient, schedule-friendly
Document and record review Remote Full eDMS access, efficient sampling
Process observation (manufacturing) On-site Cannot verify physical processes remotely
Cleanroom/controlled environment On-site Environmental conditions require physical presence
Software system review Remote Screen-sharing is equivalent or better
Management interview Either Remote is acceptable
Supplier audit (critical) On-site Physical verification essential

Cross-Reference: ISO 42001 for AI-Enabled Medical Devices

ISO 42001 (AI Management System) Integration with ISO 13485

For medical device organizations developing AI-enabled products, ISO 42001:2023 provides an AI management system framework:

ISO 42001 Clause ISO 13485 Integration Point Combined Requirement
4. Context of the organization Clause 4.1 (General requirements) Extend QMS scope to include AI-specific processes
5. Leadership Clause 5 (Management responsibility) AI governance within quality policy and objectives
6. Planning (AI risk assessment) Clause 7.1 (Risk management planning) Extend ISO 14971 risk management to AI-specific risks
7. Support (AI competence) Clause 6.2 (Human resources) Add AI/ML competency requirements to training matrix
8. Operation (AI lifecycle) Clause 7.3 (Design and development) Integrate AI development lifecycle into design controls
9. Performance evaluation Clause 8 (Measurement, analysis) Add AI performance metrics to quality monitoring
10. Improvement Clause 8.5 (CAPA) Include AI-related incidents in CAPA scope

AI Lifecycle Integration with Design Controls

ISO 13485 Design Control (Cl. 7.3)     ISO 42001 AI Lifecycle
─────────────────────────────────       ─────────────────────
Design Input (7.3.3)                    AI System Requirements
    ↓                                       ↓
Design Output (7.3.4)                   Data Collection & Preparation
    ↓                                   Model Architecture & Training
    ↓                                       ↓
Design Review (7.3.5)                   AI Model Validation Review
    ↓                                       ↓
Design Verification (7.3.6)            Model Verification (accuracy, bias)
    ↓                                       ↓
Design Validation (7.3.7)             Clinical Validation (real-world performance)
    ↓                                       ↓
Design Transfer (7.3.8)               Model Deployment & Monitoring
    ↓                                       ↓
Design Changes (7.3.9)                Model Retraining & Update Control

Supplier Qualification for Software/Cloud Providers

Cloud Service Provider Qualification

Qualification Criterion Assessment Method Minimum Requirement
Information security ISO 27001 certificate or SOC 2 Type II report Current certification for relevant scope
Data residency Contractual agreement + architecture review Data stored in jurisdictions compliant with regulations
Availability SLA Service agreement review 99.9% uptime minimum for critical systems
Backup and recovery Architecture review + test results RPO < 4 hours, RTO < 8 hours for critical systems
Incident notification Contract clause review Notification within 24 hours of security incident
Audit rights Contract clause Right to audit or receive audit reports
Regulatory compliance Vendor compliance documentation GxP-qualified environments (if applicable)
Exit strategy Data portability assessment Documented data export capability in standard formats

Software Supplier Assessment

Assessment Area Category A (Critical) Category B (Major) Category C (Minor)
Quality system ISO 13485 or ISO 9001 required ISO 9001 preferred Documented processes
Development process IEC 62304 compliance evidence SDLC documentation Basic version control
Cybersecurity IEC 81001-5-1 compliance Security testing evidence Basic security practices
Change management Formal change control with notification Release notes and notification Version tracking
Validation support IQ/OQ/PQ documentation provided Functional test documentation User documentation
Incident handling SLA-based response with root cause Defined support process Best-effort support

CAPA Integration with Cybersecurity Incidents

Cybersecurity Incident as CAPA Trigger

Incident Type CAPA Required? Response Actions
Patient data breach Yes — automatic Contain → investigate → notify (GDPR 72h, HIPAA 60 days) → CAPA
Device vulnerability (exploitable) Yes — automatic Patch → verify → communicate → CAPA for root cause
Device vulnerability (not exploitable) Evaluate Risk assessment → mitigate if feasible → track
Malware on manufacturing system Yes — automatic Isolate → clean → verify product integrity → CAPA
Unauthorized access to QMS Yes — automatic Revoke access → assess impact → verify record integrity → CAPA
Supplier security incident Evaluate Assess impact on device/data → CAPA if product affected

Cybersecurity CAPA Process

Step 1: Incident Detection and Containment
        → Activate incident response plan
        → Contain threat and preserve evidence
        → Assess impact on product safety and quality

Step 2: Investigation (Root Cause Analysis)
        → Technical forensic analysis
        → 5 Whys + attack chain reconstruction
        → Identify QMS process failures that enabled the incident
        → Assess whether product quality was affected

Step 3: Corrective Actions
        → Technical: patch vulnerability, update security controls
        → Process: update SOPs, access controls, monitoring
        → People: security awareness training
        → Product: assess need for field safety corrective action (FSCA)

Step 4: Preventive Actions
        → Threat modeling review for similar attack vectors
        → Security control gap analysis
        → Supply chain security review (if applicable)
        → Update cybersecurity risk assessment

Step 5: Effectiveness Verification
        → Penetration testing to verify fix
        → Monitoring for recurrence (90-day window)
        → Review of updated security metrics
        → Close CAPA with evidence of effectiveness

Step 6: Regulatory Reporting (if required)
        → MDR vigilance report (if patient safety affected)
        → FDA MedWatch report (if applicable)
        → GDPR breach notification (if personal data involved)
        → NIS2 incident report (if essential entity)

Cross-references: See ../information-security-manager-iso27001/SKILL.md for ISO 27001 incident response procedures, ../fda-consultant-specialist/SKILL.md for FDA QMSR alignment, and ../risk-management-specialist/SKILL.md for cybersecurity risk integration with ISO 14971.

ISO 13485 Enhanced — QMSR, Digital QMS & Cross-Framework Integration

ISO 13485:2016 Alignment with FDA QMSR

With FDA's Quality Management System Regulation (QMSR) effective Feb 2026:

  • Direct Alignment: FDA now recognizes ISO 13485:2016 as the quality system standard
  • Single QMS: Organizations can maintain one QMS for both FDA and EU market access
  • Gap Analysis: Identify differences between current QSR procedures and ISO 13485 requirements
  • Transition Plan: Map QSR 21 CFR 820 sections to ISO 13485 clauses, update procedures
  • Cross-reference: See fda-consultant-specialist for detailed FDA requirements

Digital QMS Implementation

  • Electronic Document Control: Validated electronic document management system (eDMS)
  • Electronic Signatures: 21 CFR Part 11 / EU Annex 11 compliant e-signatures
  • Audit Trail: Automated, timestamped, immutable record of all document changes
  • Cloud QMS Platforms: Qualification requirements for SaaS QMS solutions (IQ/OQ/PQ)
  • Cross-reference: See quality-documentation-manager for Part 11 compliance

Remote Audit Considerations

  • Hybrid Audits: Combination of on-site and remote activities (ISO 19011 guidance)
  • Technology Requirements: Secure video conferencing, screen sharing, document access
  • Limitations: Physical process observations may require on-site verification
  • Notified Body Acceptance: Most NBs accept hybrid audits for surveillance and recertification

AI-Enabled Medical Device QMS

  • ISO 42001 Integration: For organizations developing AI-enabled medical devices
  • Data Governance: Training data quality per ISO 42001 Annex A.7 within QMS
  • Model Lifecycle: AI model versioning and change control within existing QMS processes
  • Cross-reference: See iso42001-ai-management for AI management system requirements

Supplier Qualification for Software/Cloud Providers

  • Cloud Service Providers: Qualification checklist (SOC 2, ISO 27001, data residency, SLAs)
  • Open Source Software: Risk assessment for OSS components (licensing, maintenance, vulnerabilities)
  • SaaS Tools: Validation requirements for SaaS platforms used in QMS processes
  • SBOM Management: Track software components across the supply chain
Weekly Installs
44
Repository
borghei/claude-skills
GitHub Stars
38
First Seen
Feb 23, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
Installed on
claude-code37
opencode30
github-copilot30
codex30
gemini-cli30
cursor30