Quality Manager - QMS ISO 13485 Specialist

ISO 13485:2016 Quality Management System implementation, maintenance, and certification support for medical device organizations.

Table of Contents

• QMS Implementation Workflow

• Document Control Workflow

• Internal Audit Workflow

• Process Validation Workflow

• Supplier Qualification Workflow

• QMS Process Reference

• Decision Frameworks

• Tools and References

QMS Implementation Workflow

Implement ISO 13485:2016 compliant quality management system from gap analysis through certification.

Workflow: Initial QMS Implementation

• Conduct gap analysis against ISO 13485:2016 requirements

• Document current state vs. required state for each clause

• Prioritize gaps by:

• Regulatory criticality

• Risk to product safety

• Resource requirements

• Develop implementation roadmap with milestones

• Establish Quality Manual per Clause 4.2.2:

• QMS scope with justified exclusions

• Process interactions

• Procedure references

• Create required documented procedures:

• Document control (4.2.3)

• Record control (4.2.4)

• Internal audit (8.2.4)

• Nonconforming product (8.3)

• Corrective action (8.5.2)

• Preventive action (8.5.3)

• Deploy processes with training

• Validation: Gap analysis complete; Quality Manual approved; all required procedures documented and trained

Gap Analysis Matrix

Clause Requirement Current State Gap Priority Action

4.2.2 Quality Manual Not documented Major High Create QM

4.2.3 Document control Informal Moderate High Formalize SOP

5.6 Management review Ad hoc Major High Establish schedule

7.3 Design control Partial Moderate Medium Complete procedures

8.2.4 Internal audit None Major High Create program

QMS Structure

Level Document Type Purpose Example

1 Quality Manual QMS overview, policy QM-001

2 Procedures How processes work SOP-02-001

3 Work Instructions Task-level detail WI-06-012

4 Records Evidence of conformity Training records

Required Procedure List

Clause Procedure Minimum Content

4.2.3 Document Control Approval, review, distribution, obsolete control

4.2.4 Record Control Identification, storage, retention, disposal

8.2.4 Internal Audit Program, auditor qualification, reporting

8.3 Nonconforming Product Identification, segregation, disposition

8.5.2 Corrective Action Investigation, root cause, effectiveness

8.5.3 Preventive Action Risk identification, implementation, verification

Document Control Workflow

Establish and maintain document control per ISO 13485 Clause 4.2.3.

Workflow: Document Creation and Approval

• Identify need for new document or revision

• Assign document number per numbering convention:

• Format: [TYPE]-[AREA]-[SEQUENCE]-[REV]

• Example: SOP-02-001-01

• Draft document using approved template

• Route for review to subject matter experts

• Collect and address review comments

• Obtain required approvals based on document type

• Update Document Master List

• Validation: Document numbered correctly; all reviewers signed; Master List updated

Document Numbering Convention

Prefix Document Type Approval Authority

QM Quality Manual Management Rep + CEO

POL Policy Department Head + QA

SOP Procedure Process Owner + QA

WI Work Instruction Supervisor + QA

TF Template/Form Process Owner

SPEC Specification Engineering + QA

Area Codes

Code Area Examples

01 Quality Management Quality Manual, policy

02 Document Control This procedure

03 Training Competency procedures

04 Design Design control

05 Purchasing Supplier management

06 Production Manufacturing

07 Quality Control Inspection, testing

08 CAPA Corrective actions

Document Change Control

Change Type Approval Level Examples

Administrative Document Control Typos, formatting

Minor Process Owner + QA Clarifications

Major Full review cycle Process changes

Emergency Expedited + retrospective Safety issues

Document Review Schedule

Document Type Review Period Trigger for Unscheduled Review

Quality Manual Annual Organizational change

Procedures Annual Audit finding, regulation change

Work Instructions 2 years Process change

Forms 2 years User feedback

Internal Audit Workflow

Plan and execute internal audits per ISO 13485 Clause 8.2.4.

Workflow: Annual Audit Program

• Identify processes and areas requiring audit coverage

• Assess risk factors for audit frequency:

• Previous audit findings

• Regulatory changes

• Process changes

• Complaint trends

• Assign qualified auditors (independent of area audited)

• Develop annual audit schedule

• Obtain management approval

• Communicate schedule to process owners

• Track completion and reschedule as needed

• Validation: All processes covered; auditors qualified and independent; schedule approved

Workflow: Individual Audit Execution

• Prepare audit plan with scope, criteria, and schedule

• Notify auditee minimum 1 week prior

• Review procedures and previous audit results

• Prepare audit checklist

• Conduct opening meeting

• Collect evidence through:

• Document review

• Record sampling

• Process observation

• Personnel interviews

• Classify findings:

• Major NC: Absence or breakdown of system

• Minor NC: Single lapse or deviation

• Observation: Risk of future NC

• Conduct closing meeting

• Issue audit report within 5 business days

• Validation: All checklist items addressed; findings supported by evidence; report distributed

Audit Program Template

Audit # Process Clauses Q1 Q2 Q3 Q4 Auditor

IA-001 Document Control 4.2.3, 4.2.4 X

[Name]

IA-002 Management Review 5.6

X

[Name]

IA-003 Design Control 7.3

X

[Name]

IA-004 Production 7.5

X

[Name]

IA-005 CAPA 8.5.2, 8.5.3

X [Name]

Auditor Qualification Requirements

Criterion Requirement

Training ISO 13485 awareness + auditor training

Experience Minimum 1 audit as observer

Independence Not auditing own work area

Competence Understanding of audited process

Finding Classification Guide

Classification Criteria Response Time

Major NC System absence, total breakdown, regulatory violation 30 days for CAPA

Minor NC Single instance, partial compliance 60 days for CAPA

Observation Potential risk, improvement opportunity Track in next audit

Process Validation Workflow

Validate special processes per ISO 13485 Clause 7.5.6.

Workflow: Process Validation Protocol

• Identify processes requiring validation:

• Output cannot be verified by inspection

• Deficiencies appear only in use

• Sterilization, welding, sealing, software

• Form validation team with subject matter experts

• Write validation protocol including:

• Process description and parameters

• Equipment and materials

• Acceptance criteria

• Statistical approach

• Execute Installation Qualification (IQ):

• Verify equipment installed correctly

• Document equipment specifications

• Execute Operational Qualification (OQ):

• Test parameter ranges

• Verify process control

• Execute Performance Qualification (PQ):

• Run production conditions

• Verify output meets requirements

• Write validation report with conclusions

• Validation: IQ/OQ/PQ complete; acceptance criteria met; validation report approved

Validation Documentation Requirements

Phase Content Evidence

Protocol Objectives, methods, criteria Approved protocol

IQ Equipment verification Installation records

OQ Parameter verification Test results

PQ Performance verification Production data

Report Summary, conclusions Approval signatures

Revalidation Triggers

Trigger Action Required

Equipment change Assess impact, revalidate affected phases

Parameter change OQ and PQ minimum

Material change Assess impact, PQ minimum

Process failure Full revalidation

Periodic Per validation schedule (typically 3 years)

Special Process Examples

Process Validation Standard Critical Parameters

EO Sterilization ISO 11135 Temperature, humidity, EO concentration, time

Steam Sterilization ISO 17665 Temperature, pressure, time

Radiation Sterilization ISO 11137 Dose, dose uniformity

Sealing Internal Temperature, pressure, dwell time

Welding ISO 11607 Heat, pressure, speed

Supplier Qualification Workflow

Evaluate and approve suppliers per ISO 13485 Clause 7.4.

Workflow: New Supplier Qualification

• Identify supplier category:

• Category A: Critical (affects safety/performance)

• Category B: Major (affects quality)

• Category C: Minor (indirect impact)

• Request supplier information:

• Quality certifications

• Product specifications

• Quality history

• Evaluate supplier based on:

• Quality system (ISO certification)

• Technical capability

• Quality history

• Financial stability

• For Category A suppliers:

• Conduct on-site audit

• Require quality agreement

• Calculate qualification score

• Make approval decision:

80: Approved

• 60-80: Conditional approval

• <60: Not approved

• Add to Approved Supplier List

• Validation: Evaluation criteria scored; qualification records complete; supplier categorized

Supplier Evaluation Criteria

Criterion Weight Scoring

Quality System 30% ISO 13485=30, ISO 9001=20, Documented=10, None=0

Quality History 25% Reject rate: <1%=25, 1-3%=15, >3%=0

Delivery 20% On-time: >95%=20, 90-95%=10, <90%=0

Technical Capability 15% Exceeds=15, Meets=10, Marginal=5

Financial Stability 10% Strong=10, Adequate=5, Questionable=0

Supplier Category Requirements

Category Qualification Monitoring Agreement

A - Critical On-site audit Annual review Quality agreement

B - Major Questionnaire Semi-annual review Quality requirements

C - Minor Assessment Issue-based Standard terms

Supplier Performance Metrics

Metric Target Calculation

Accept Rate

98% (Accepted lots / Total lots) × 100

On-Time Delivery

95% (On-time / Total orders) × 100

Response Time <5 days Average days to resolve issues

Documentation 100% (Complete CoCs / Required CoCs) × 100

QMS Process Reference

ISO 13485 Clause Structure

Clause Title Key Requirements

4.1 General Requirements Process identification, interaction, outsourcing

4.2 Documentation Quality Manual, procedures, records

5.1-5.5 Management Responsibility Commitment, policy, objectives, organization

5.6 Management Review Inputs, outputs, records

6.1-6.4 Resource Management Personnel, infrastructure, environment

7.1 Product Realization Planning Quality plan, risk management

7.2 Customer Requirements Determination, review, communication

7.3 Design and Development Planning, inputs, outputs, review, V&V, transfer, changes

7.4 Purchasing Supplier control, purchasing info, verification

7.5 Production Control, cleanliness, validation, identification, traceability

7.6 Monitoring Equipment Calibration, control

8.1 Measurement Planning Monitoring and analysis planning

8.2 Monitoring Feedback, complaints, reporting, audits, process, product

8.3 Nonconforming Product Control, disposition

8.4 Data Analysis Trend analysis

8.5 Improvement CAPA

Management Review Required Inputs (Clause 5.6.2)

Input Source Prepared By

Audit results Internal and external audits QA Manager

Customer feedback Complaints, surveys Customer Quality

Process performance Process metrics Process Owners

Product conformity Inspection data, NCs QC Manager

CAPA status CAPA system CAPA Officer

Previous actions Prior review records QMR

Changes affecting QMS Regulatory, organizational RA Manager

Recommendations All sources All Managers

Record Retention Requirements

Record Type Minimum Retention Regulatory Basis

Device Master Record Life of device + 2 years 21 CFR 820.181

Device History Record Life of device + 2 years 21 CFR 820.184

Design History File Life of device + 2 years 21 CFR 820.30

Complaint Records Life of device + 2 years 21 CFR 820.198

Training Records Employment + 3 years Best practice

Audit Records 7 years Best practice

CAPA Records 7 years Best practice

Calibration Records Equipment life + 2 years Best practice

Decision Frameworks

Exclusion Justification (Clause 4.2.2)

Clause Permissible Exclusion Justification Required

6.4.2 Contamination control Product not affected by contamination

7.3 Design and development Organization does not design products

7.5.2 Product cleanliness No cleanliness requirements

7.5.3 Installation No installation activities

7.5.4 Servicing No servicing activities

7.5.5 Sterile products No sterile products

Nonconformity Disposition Decision Tree

Nonconforming Product Identified │ ▼ Can it be reworked? │ Yes──┴──No │ │ ▼ ▼ Is rework Can it be used procedure as is? available? │ │ Yes──┴──No Yes─┴─No │ │ │ │ ▼ ▼ ▼ ▼ Concession Scrap or Rework Create approval return to per SOP rework needed? supplier procedure │ Yes─┴─No │ │ ▼ ▼ Customer Use as is approval with MRB approval

CAPA Initiation Criteria

Source Automatic CAPA Evaluate for CAPA

Customer complaint Safety-related All others

External audit Major NC Minor NC

Internal audit Major NC Repeat minor NC

Product NC Field failure Trend exceeds threshold

Process deviation Safety impact Repeated deviations

Tools and References

Scripts

Tool Purpose Usage

qms_audit_checklist.py Generate audit checklists by clause or process python qms_audit_checklist.py --help

Audit Checklist Generator Features:

• Generate clause-specific checklists (e.g., --clause 7.3 )

• Generate process-based checklists (e.g., --process design-control )

• Full system audit checklist (--audit-type system )

• Text or JSON output formats

• Interactive mode for guided selection

References

Document Content

iso13485-clause-requirements.md Detailed requirements for each ISO 13485:2016 clause with audit questions

qms-process-templates.md Ready-to-use templates for document control, audit, CAPA, supplier, training

Quick Reference: Mandatory Documented Procedures

Procedure Clause Key Elements

Document Control 4.2.3 Approval, distribution, obsolete control

Record Control 4.2.4 Identification, retention, disposal

Internal Audit 8.2.4 Program, auditor qualification, reporting

NC Product Control 8.3 Identification, segregation, disposition

Corrective Action 8.5.2 Root cause, implementation, verification

Preventive Action 8.5.3 Risk identification, implementation

Related Skills

Skill Integration Point

quality-manager-qmr Management review, quality policy

capa-officer CAPA system management

qms-audit-expert Advanced audit techniques

quality-documentation-manager DHF, DMR, DHR management

risk-management-specialist ISO 14971 integration

ISO 13485:2016 Alignment with FDA QMSR

QMSR Transition Impact on ISO 13485 QMS

With the FDA's QMSR (effective February 2, 2026) incorporating ISO 13485:2016 by reference, organizations already ISO 13485 certified gain significant advantages:

Area Pre-QMSR (Dual System) Post-QMSR (Unified)

Quality Manual Separate FDA QSR and ISO 13485 references Single Quality Manual referencing ISO 13485

Design controls 820.30 + ISO 13485 Clause 7.3 (mapped) ISO 13485 Clause 7.3 (primary)

CAPA 820.100 + ISO 13485 Clause 8.5 ISO 13485 Clause 8.5 (primary)

Document control 820.40 + ISO 13485 Clause 4.2 ISO 13485 Clause 4.2 (primary)

Purchasing 820.50 + ISO 13485 Clause 7.4 ISO 13485 Clause 7.4 (primary)

Audits Separate FDA and ISO audit tracks Single audit satisfying both

FDA-Retained Requirements Beyond ISO 13485

Even under QMSR, certain FDA-specific requirements remain. The QMS must address:

FDA Requirement CFR Reference ISO 13485 Gap Action

Complaint handling (medical device reports) 21 CFR 820.198 Clause 8.2.2 covers complaints but not FDA MDR reporting specifics Add FDA MDR reporting procedure to complaint handling SOP

Corrections and removals 21 CFR 806 No direct equivalent Maintain separate procedure for FDA reporting of corrections/removals

Unique Device Identification 21 CFR 830 No UDI clause in ISO 13485 Add UDI procedures to labeling/identification processes

Electronic records and signatures 21 CFR Part 11 No electronic signature requirements Implement Part 11 compliance for electronic QMS

QMSR Gap Analysis Checklist

• Map all existing QSR SOPs to ISO 13485 clause numbers

• Identify FDA-retained requirements not covered by ISO 13485

• Update Quality Manual scope and references

• Retrain staff on ISO 13485 terminology (e.g., "design output" terminology alignment)

• Update supplier quality agreements to reference QMSR

• Revise internal audit checklist to combined ISO 13485 + FDA requirements

• Verify complaint handling addresses both ISO 13485 Clause 8.2.2 and 21 CFR 820.198

• Conduct mock audit against QMSR requirements

Digital QMS Implementation

Electronic Document Management System (eDMS) Requirements

Requirement Implementation Regulatory Basis

Document version control Automatic versioning with audit trail ISO 13485 Clause 4.2.3

Electronic approval workflows Role-based approval routing with e-signatures 21 CFR Part 11, Annex 11

Access controls Role-based permissions, segregation of duties ISO 13485 Clause 4.2.3(c)

Audit trail Immutable record of all changes with timestamp, user, reason 21 CFR Part 11 §11.10(e)

Backup and recovery Regular backups with tested restore procedures ISO 13485 Clause 4.2.4

Training records integration Link document access to training completion ISO 13485 Clause 6.2

Obsolete document control Automatic removal from use with archival ISO 13485 Clause 4.2.3(e)

Electronic Signatures

Signature Type Use Case Technical Requirement

Electronic signature Document approval, batch release, CAPA closure Linked to individual, date/time stamped, meaning included

Digital signature High-assurance: design reviews, regulatory submissions PKI-based, certificate authority, tamper-evident

Biometric signature Optional for high-security processes Fingerprint or similar biometric linked to identity

Audit Trail Requirements

Element Description Example

Who User identity (not shared accounts) jane.smith@company.com

What Action performed "Approved SOP-02-001 Rev 3"

When Date and time (UTC or with timezone) 2026-03-09T14:30:00Z

Why Reason for change (required for modifications) "Updated per CAPA-2026-003 findings"

Previous value Old content (for modifications) Automatic diff/version comparison

Cross-Reference: 21 CFR Part 11 / Annex 11

21 CFR Part 11 Requirements for Electronic Records

Requirement Section QMS Implementation

Validation §11.10(a) Validate eQMS software per GAMP 5 methodology

Audit trail §11.10(e) Computer-generated, timestamped, immutable audit trail

System access controls §11.10(d) Unique user IDs, passwords, role-based access

Authority checks §11.10(g) Only authorized individuals can use specific functions

Device checks §11.10(h) Verify source of data input

Personnel qualification §11.10(i) Training on system use and Part 11 requirements

Electronic signatures §11.50, §11.100 Unique to individual, not reusable, linked to records

Open vs. closed systems §11.30 vs. §11.10 Determine system type; open systems need encryption

Annex 11 (EU GMP) Requirements

Requirement Section QMS Implementation

Risk management §1 Apply risk-based approach to computerized system validation

Personnel §2 Designated system owner and trained users

Supplier assessment §3 Assess eQMS vendor quality and compliance capability

Validation §4-5 IQ/OQ/PQ for eQMS, validation plan and report

Data §6-9 Data integrity, accuracy checks, data storage

Printouts §8 Ability to generate clear, legible copies of electronic records

Audit trail §9 Record of all GMP-relevant changes

Change and configuration management §10-11 Controlled change process for system modifications

Security §12 Physical and logical security controls

Incident management §13 Procedure for reporting and managing system incidents

Electronic signatures §14 Equivalent legal standing to handwritten signatures

Batch release §15 Electronic batch release with appropriate controls

Business continuity §16 Contingency procedures for system unavailability

Archiving §17 Long-term accessibility and readability of archived data

Remote Audit Considerations (Post-COVID)

Remote Audit Methodology

Audit Element On-Site Approach Remote Equivalent

Document review Physical review of controlled copies Screen-sharing of eDMS, live navigation

Record sampling Pull physical records from files Live database queries via screen-share

Process observation Walk the production floor Live video tour, camera-equipped devices

Personnel interviews Face-to-face Video conference with individual sessions

Equipment verification Physical inspection Live video with zoom capability

Evidence collection Photocopies, photographs Screenshots, screen recordings, exported PDFs

Remote Audit Best Practices

Practice Description

Pre-audit documentation Share document packages 2 weeks before audit via secure portal

Technology testing Test video conferencing, screen-sharing, and secure file transfer before audit

Audit plan adaptation Allow 20-30% more time for remote activities vs. on-site

Secure communication Use encrypted channels for all audit communications and evidence transfer

Real-time evidence Prefer live demonstrations over pre-recorded material

Breakout rooms Use separate video sessions for confidential interviews

Audit trail of the audit Record audit sessions (with agreement) for reference

Hybrid Audit Model

Activity Recommended Mode Rationale

Opening/closing meetings Remote Efficient, schedule-friendly

Document and record review Remote Full eDMS access, efficient sampling

Process observation (manufacturing) On-site Cannot verify physical processes remotely

Cleanroom/controlled environment On-site Environmental conditions require physical presence

Software system review Remote Screen-sharing is equivalent or better

Management interview Either Remote is acceptable

Supplier audit (critical) On-site Physical verification essential

Cross-Reference: ISO 42001 for AI-Enabled Medical Devices

ISO 42001 (AI Management System) Integration with ISO 13485

For medical device organizations developing AI-enabled products, ISO 42001:2023 provides an AI management system framework:

ISO 42001 Clause ISO 13485 Integration Point Combined Requirement

4. Context of the organization Clause 4.1 (General requirements) Extend QMS scope to include AI-specific processes

5. Leadership Clause 5 (Management responsibility) AI governance within quality policy and objectives

6. Planning (AI risk assessment) Clause 7.1 (Risk management planning) Extend ISO 14971 risk management to AI-specific risks

7. Support (AI competence) Clause 6.2 (Human resources) Add AI/ML competency requirements to training matrix

8. Operation (AI lifecycle) Clause 7.3 (Design and development) Integrate AI development lifecycle into design controls

9. Performance evaluation Clause 8 (Measurement, analysis) Add AI performance metrics to quality monitoring

10. Improvement Clause 8.5 (CAPA) Include AI-related incidents in CAPA scope

AI Lifecycle Integration with Design Controls

ISO 13485 Design Control (Cl. 7.3) ISO 42001 AI Lifecycle ───────────────────────────────── ───────────────────── Design Input (7.3.3) AI System Requirements ↓ ↓ Design Output (7.3.4) Data Collection & Preparation ↓ Model Architecture & Training ↓ ↓ Design Review (7.3.5) AI Model Validation Review ↓ ↓ Design Verification (7.3.6) Model Verification (accuracy, bias) ↓ ↓ Design Validation (7.3.7) Clinical Validation (real-world performance) ↓ ↓ Design Transfer (7.3.8) Model Deployment & Monitoring ↓ ↓ Design Changes (7.3.9) Model Retraining & Update Control

Supplier Qualification for Software/Cloud Providers

Cloud Service Provider Qualification

Qualification Criterion Assessment Method Minimum Requirement

Information security ISO 27001 certificate or SOC 2 Type II report Current certification for relevant scope

Data residency Contractual agreement + architecture review Data stored in jurisdictions compliant with regulations

Availability SLA Service agreement review 99.9% uptime minimum for critical systems

Backup and recovery Architecture review + test results RPO < 4 hours, RTO < 8 hours for critical systems

Incident notification Contract clause review Notification within 24 hours of security incident

Audit rights Contract clause Right to audit or receive audit reports

Regulatory compliance Vendor compliance documentation GxP-qualified environments (if applicable)

Exit strategy Data portability assessment Documented data export capability in standard formats

Software Supplier Assessment

Assessment Area Category A (Critical) Category B (Major) Category C (Minor)

Quality system ISO 13485 or ISO 9001 required ISO 9001 preferred Documented processes

Development process IEC 62304 compliance evidence SDLC documentation Basic version control

Cybersecurity IEC 81001-5-1 compliance Security testing evidence Basic security practices

Change management Formal change control with notification Release notes and notification Version tracking

Validation support IQ/OQ/PQ documentation provided Functional test documentation User documentation

Incident handling SLA-based response with root cause Defined support process Best-effort support

CAPA Integration with Cybersecurity Incidents

Cybersecurity Incident as CAPA Trigger

Incident Type CAPA Required? Response Actions

Patient data breach Yes — automatic Contain → investigate → notify (GDPR 72h, HIPAA 60 days) → CAPA

Device vulnerability (exploitable) Yes — automatic Patch → verify → communicate → CAPA for root cause

Device vulnerability (not exploitable) Evaluate Risk assessment → mitigate if feasible → track

Malware on manufacturing system Yes — automatic Isolate → clean → verify product integrity → CAPA

Unauthorized access to QMS Yes — automatic Revoke access → assess impact → verify record integrity → CAPA

Supplier security incident Evaluate Assess impact on device/data → CAPA if product affected

Cybersecurity CAPA Process

Step 1: Incident Detection and Containment → Activate incident response plan → Contain threat and preserve evidence → Assess impact on product safety and quality

Step 2: Investigation (Root Cause Analysis) → Technical forensic analysis → 5 Whys + attack chain reconstruction → Identify QMS process failures that enabled the incident → Assess whether product quality was affected

Step 3: Corrective Actions → Technical: patch vulnerability, update security controls → Process: update SOPs, access controls, monitoring → People: security awareness training → Product: assess need for field safety corrective action (FSCA)

Step 4: Preventive Actions → Threat modeling review for similar attack vectors → Security control gap analysis → Supply chain security review (if applicable) → Update cybersecurity risk assessment

Step 5: Effectiveness Verification → Penetration testing to verify fix → Monitoring for recurrence (90-day window) → Review of updated security metrics → Close CAPA with evidence of effectiveness

Step 6: Regulatory Reporting (if required) → MDR vigilance report (if patient safety affected) → FDA MedWatch report (if applicable) → GDPR breach notification (if personal data involved) → NIS2 incident report (if essential entity)

Cross-references: See ../information-security-manager-iso27001/SKILL.md for ISO 27001 incident response procedures, ../fda-consultant-specialist/SKILL.md for FDA QMSR alignment, and ../risk-management-specialist/SKILL.md for cybersecurity risk integration with ISO 14971.

ISO 13485 Enhanced — QMSR, Digital QMS & Cross-Framework Integration

ISO 13485:2016 Alignment with FDA QMSR

With FDA's Quality Management System Regulation (QMSR) effective Feb 2026:

• Direct Alignment: FDA now recognizes ISO 13485:2016 as the quality system standard

• Single QMS: Organizations can maintain one QMS for both FDA and EU market access

• Gap Analysis: Identify differences between current QSR procedures and ISO 13485 requirements

• Transition Plan: Map QSR 21 CFR 820 sections to ISO 13485 clauses, update procedures

• Cross-reference: See fda-consultant-specialist for detailed FDA requirements

Digital QMS Implementation

• Electronic Document Control: Validated electronic document management system (eDMS)

• Electronic Signatures: 21 CFR Part 11 / EU Annex 11 compliant e-signatures

• Audit Trail: Automated, timestamped, immutable record of all document changes

• Cloud QMS Platforms: Qualification requirements for SaaS QMS solutions (IQ/OQ/PQ)

• Cross-reference: See quality-documentation-manager for Part 11 compliance

Remote Audit Considerations

• Hybrid Audits: Combination of on-site and remote activities (ISO 19011 guidance)

• Technology Requirements: Secure video conferencing, screen sharing, document access

• Limitations: Physical process observations may require on-site verification

• Notified Body Acceptance: Most NBs accept hybrid audits for surveillance and recertification

AI-Enabled Medical Device QMS

• ISO 42001 Integration: For organizations developing AI-enabled medical devices

• Data Governance: Training data quality per ISO 42001 Annex A.7 within QMS

• Model Lifecycle: AI model versioning and change control within existing QMS processes

• Cross-reference: See iso42001-ai-management for AI management system requirements

Supplier Qualification for Software/Cloud Providers

• Cloud Service Providers: Qualification checklist (SOC 2, ISO 27001, data residency, SLAs)

• Open Source Software: Risk assessment for OSS components (licensing, maintenance, vulnerabilities)

• SaaS Tools: Validation requirements for SaaS platforms used in QMS processes

• SBOM Management: Track software components across the supply chain