Name: Quality Manager Qms Iso13485
Author: borghei

Search skills.../

Quality Manager Qms Iso13485 | Skills Pool

Clause	Requirement	Current State	Gap	Priority	Action
4.2.2	Quality Manual	Not documented	Major	High	Create QM
4.2.3	Document control	Informal	Moderate	High	Formalize SOP
5.6	Management review	Ad hoc	Major	High	Establish schedule
7.3	Design control	Partial	Moderate	Medium	Complete procedures
8.2.4	Internal audit	None	Major	High	Create program

Level	Document Type	Purpose	Example
1	Quality Manual	QMS overview, policy	QM-001
2	Procedures	How processes work	SOP-02-001
3	Work Instructions	Task-level detail	WI-06-012
4	Records	Evidence of conformity	Training records

Clause	Procedure	Minimum Content
4.2.3	Document Control	Approval, review, distribution, obsolete control
4.2.4	Record Control	Identification, storage, retention, disposal
8.2.4	Internal Audit	Program, auditor qualification, reporting
8.3	Nonconforming Product	Identification, segregation, disposition
8.5.2	Corrective Action	Investigation, root cause, effectiveness
8.5.3	Preventive Action	Risk identification, implementation, verification

Prefix	Document Type	Approval Authority
QM	Quality Manual	Management Rep + CEO
POL	Policy	Department Head + QA
SOP	Procedure	Process Owner + QA
WI	Work Instruction	Supervisor + QA
TF	Template/Form	Process Owner
SPEC	Specification	Engineering + QA

Code	Area	Examples
01	Quality Management	Quality Manual, policy
02	Document Control	This procedure
03	Training	Competency procedures
04	Design	Design control
05	Purchasing	Supplier management
06	Production	Manufacturing
07	Quality Control	Inspection, testing
08	CAPA	Corrective actions

Change Type	Approval Level	Examples
Administrative	Document Control	Typos, formatting
Minor	Process Owner + QA	Clarifications
Major	Full review cycle	Process changes
Emergency	Expedited + retrospective	Safety issues

Document Type	Review Period	Trigger for Unscheduled Review
Quality Manual	Annual	Organizational change
Procedures	Annual	Audit finding, regulation change
Work Instructions	2 years	Process change
Forms	2 years	User feedback

Classification	Criteria	Response Time
Major NC	System absence, total breakdown, regulatory violation	30 days for CAPA
Minor NC	Single instance, partial compliance	60 days for CAPA
Observation	Potential risk, improvement opportunity	Track in next audit

Phase	Content	Evidence
Protocol	Objectives, methods, criteria	Approved protocol
IQ	Equipment verification	Installation records
OQ	Parameter verification	Test results
PQ	Performance verification	Production data
Report	Summary, conclusions	Approval signatures

Trigger	Action Required
Equipment change	Assess impact, revalidate affected phases
Parameter change	OQ and PQ minimum
Material change	Assess impact, PQ minimum
Process failure	Full revalidation
Periodic	Per validation schedule (typically 3 years)

Process	Validation Standard	Critical Parameters
EO Sterilization	ISO 11135	Temperature, humidity, EO concentration, time
Steam Sterilization	ISO 17665	Temperature, pressure, time
Radiation Sterilization	ISO 11137	Dose, dose uniformity
Sealing	Internal	Temperature, pressure, dwell time
Welding	ISO 11607	Heat, pressure, speed

Criterion	Weight	Scoring
Quality System	30%	ISO 13485=30, ISO 9001=20, Documented=10, None=0
Quality History	25%	Reject rate: <1%=25, 1-3%=15, >3%=0
Delivery	20%	On-time: >95%=20, 90-95%=10, <90%=0
Technical Capability	15%	Exceeds=15, Meets=10, Marginal=5
Financial Stability	10%	Strong=10, Adequate=5, Questionable=0

Metric	Target	Calculation
Accept Rate	>98%	(Accepted lots / Total lots) × 100
On-Time Delivery	>95%	(On-time / Total orders) × 100
Response Time	<5 days	Average days to resolve issues
Documentation	100%	(Complete CoCs / Required CoCs) × 100

Clause	Title	Key Requirements
4.1	General Requirements	Process identification, interaction, outsourcing
4.2	Documentation	Quality Manual, procedures, records
5.1-5.5	Management Responsibility	Commitment, policy, objectives, organization
5.6	Management Review	Inputs, outputs, records
6.1-6.4	Resource Management	Personnel, infrastructure, environment
7.1	Product Realization Planning	Quality plan, risk management
7.2	Customer Requirements	Determination, review, communication
7.3	Design and Development	Planning, inputs, outputs, review, V&V, transfer, changes
7.4	Purchasing	Supplier control, purchasing info, verification
7.5	Production	Control, cleanliness, validation, identification, traceability
7.6	Monitoring Equipment	Calibration, control
8.1	Measurement Planning	Monitoring and analysis planning
8.2	Monitoring	Feedback, complaints, reporting, audits, process, product
8.3	Nonconforming Product	Control, disposition
8.4	Data Analysis	Trend analysis
8.5	Improvement	CAPA

Input	Source	Prepared By
Audit results	Internal and external audits	QA Manager
Customer feedback	Complaints, surveys	Customer Quality
Process performance	Process metrics	Process Owners
Product conformity	Inspection data, NCs	QC Manager
CAPA status	CAPA system	CAPA Officer
Previous actions	Prior review records	QMR
Changes affecting QMS	Regulatory, organizational	RA Manager
Recommendations	All sources	All Managers

Record Type	Minimum Retention	Regulatory Basis
Device Master Record	Life of device + 2 years	21 CFR 820.181
Device History Record	Life of device + 2 years	21 CFR 820.184
Design History File	Life of device + 2 years	21 CFR 820.30
Complaint Records	Life of device + 2 years	21 CFR 820.198
Training Records	Employment + 3 years	Best practice
Audit Records	7 years	Best practice
CAPA Records	7 years	Best practice
Calibration Records	Equipment life + 2 years	Best practice

Clause	Permissible Exclusion	Justification Required
6.4.2	Contamination control	Product not affected by contamination
7.3	Design and development	Organization does not design products
7.5.2	Product cleanliness	No cleanliness requirements
7.5.3	Installation	No installation activities
7.5.4	Servicing	No servicing activities
7.5.5	Sterile products	No sterile products

Nonconforming Product Identified
            │
            ▼
    Can it be reworked?
            │
       Yes──┴──No
        │       │
        ▼       ▼
    Is rework     Can it be used
    procedure     as is?
    available?        │
        │        Yes──┴──No
    Yes─┴─No     │       │
     │    │     ▼       ▼
     ▼    ▼  Concession  Scrap or
  Rework  Create    approval    return to
  per SOP  rework    needed?    supplier
          procedure     │
                    Yes─┴─No
                     │    │
                     ▼    ▼
                 Customer  Use as is
                 approval  with MRB
                          approval

Source	Automatic CAPA	Evaluate for CAPA
Customer complaint	Safety-related	All others
External audit	Major NC	Minor NC
Internal audit	Major NC	Repeat minor NC
Product NC	Field failure	Trend exceeds threshold
Process deviation	Safety impact	Repeated deviations

Document	Content
iso13485-clause-requirements.md	Detailed requirements for each ISO 13485:2016 clause with audit questions
qms-process-templates.md	Ready-to-use templates for document control, audit, CAPA, supplier, training

Procedure	Clause	Key Elements
Document Control	4.2.3	Approval, distribution, obsolete control
Record Control	4.2.4	Identification, retention, disposal
Internal Audit	8.2.4	Program, auditor qualification, reporting
NC Product Control	8.3	Identification, segregation, disposition
Corrective Action	8.5.2	Root cause, implementation, verification
Preventive Action	8.5.3	Risk identification, implementation

Skill	Integration Point
quality-manager-qmr	Management review, quality policy
capa-officer	CAPA system management
qms-audit-expert	Advanced audit techniques
quality-documentation-manager	DHF, DMR, DHR management
risk-management-specialist	ISO 14971 integration

Area	Pre-QMSR (Dual System)	Post-QMSR (Unified)
Quality Manual	Separate FDA QSR and ISO 13485 references	Single Quality Manual referencing ISO 13485
Design controls	820.30 + ISO 13485 Clause 7.3 (mapped)	ISO 13485 Clause 7.3 (primary)
CAPA	820.100 + ISO 13485 Clause 8.5	ISO 13485 Clause 8.5 (primary)
Document control	820.40 + ISO 13485 Clause 4.2	ISO 13485 Clause 4.2 (primary)
Purchasing	820.50 + ISO 13485 Clause 7.4	ISO 13485 Clause 7.4 (primary)
Audits	Separate FDA and ISO audit tracks	Single audit satisfying both

FDA Requirement	CFR Reference	ISO 13485 Gap	Action
Complaint handling (medical device reports)	21 CFR 820.198	Clause 8.2.2 covers complaints but not FDA MDR reporting specifics	Add FDA MDR reporting procedure to complaint handling SOP
Corrections and removals	21 CFR 806	No direct equivalent	Maintain separate procedure for FDA reporting of corrections/removals
Unique Device Identification	21 CFR 830	No UDI clause in ISO 13485	Add UDI procedures to labeling/identification processes
Electronic records and signatures	21 CFR Part 11	No electronic signature requirements	Implement Part 11 compliance for electronic QMS

Requirement	Implementation	Regulatory Basis
Document version control	Automatic versioning with audit trail	ISO 13485 Clause 4.2.3
Electronic approval workflows	Role-based approval routing with e-signatures	21 CFR Part 11, Annex 11
Access controls	Role-based permissions, segregation of duties	ISO 13485 Clause 4.2.3(c)
Audit trail	Immutable record of all changes with timestamp, user, reason	21 CFR Part 11 §11.10(e)
Backup and recovery	Regular backups with tested restore procedures	ISO 13485 Clause 4.2.4
Training records integration	Link document access to training completion	ISO 13485 Clause 6.2
Obsolete document control	Automatic removal from use with archival	ISO 13485 Clause 4.2.3(e)

Signature Type	Use Case	Technical Requirement
Electronic signature	Document approval, batch release, CAPA closure	Linked to individual, date/time stamped, meaning included
Digital signature	High-assurance: design reviews, regulatory submissions	PKI-based, certificate authority, tamper-evident
Biometric signature	Optional for high-security processes	Fingerprint or similar biometric linked to identity

Element	Description	Example
Who	User identity (not shared accounts)	[email protected]
What	Action performed	"Approved SOP-02-001 Rev 3"
When	Date and time (UTC or with timezone)	2026-03-09T14:30:00Z
Why	Reason for change (required for modifications)	"Updated per CAPA-2026-003 findings"
Previous value	Old content (for modifications)	Automatic diff/version comparison

Requirement	Section	QMS Implementation
Validation	§11.10(a)	Validate eQMS software per GAMP 5 methodology
Audit trail	§11.10(e)	Computer-generated, timestamped, immutable audit trail
System access controls	§11.10(d)	Unique user IDs, passwords, role-based access
Authority checks	§11.10(g)	Only authorized individuals can use specific functions
Device checks	§11.10(h)	Verify source of data input
Personnel qualification	§11.10(i)	Training on system use and Part 11 requirements
Electronic signatures	§11.50, §11.100	Unique to individual, not reusable, linked to records
Open vs. closed systems	§11.30 vs. §11.10	Determine system type; open systems need encryption

Requirement	Section	QMS Implementation
Risk management	§1	Apply risk-based approach to computerized system validation
Personnel	§2	Designated system owner and trained users
Supplier assessment	§3	Assess eQMS vendor quality and compliance capability
Validation	§4-5	IQ/OQ/PQ for eQMS, validation plan and report
Data	§6-9	Data integrity, accuracy checks, data storage
Printouts	§8	Ability to generate clear, legible copies of electronic records
Audit trail	§9	Record of all GMP-relevant changes
Change and configuration management	§10-11	Controlled change process for system modifications
Security	§12	Physical and logical security controls
Incident management	§13	Procedure for reporting and managing system incidents
Electronic signatures	§14	Equivalent legal standing to handwritten signatures
Batch release	§15	Electronic batch release with appropriate controls
Business continuity	§16	Contingency procedures for system unavailability
Archiving	§17	Long-term accessibility and readability of archived data

Audit Element	On-Site Approach	Remote Equivalent
Document review	Physical review of controlled copies	Screen-sharing of eDMS, live navigation
Record sampling	Pull physical records from files	Live database queries via screen-share
Process observation	Walk the production floor	Live video tour, camera-equipped devices
Personnel interviews	Face-to-face	Video conference with individual sessions
Equipment verification	Physical inspection	Live video with zoom capability
Evidence collection	Photocopies, photographs	Screenshots, screen recordings, exported PDFs

Practice	Description
Pre-audit documentation	Share document packages 2 weeks before audit via secure portal
Technology testing	Test video conferencing, screen-sharing, and secure file transfer before audit
Audit plan adaptation	Allow 20-30% more time for remote activities vs. on-site
Secure communication	Use encrypted channels for all audit communications and evidence transfer
Real-time evidence	Prefer live demonstrations over pre-recorded material
Breakout rooms	Use separate video sessions for confidential interviews
Audit trail of the audit	Record audit sessions (with agreement) for reference

Activity	Recommended Mode	Rationale
Opening/closing meetings	Remote	Efficient, schedule-friendly
Document and record review	Remote	Full eDMS access, efficient sampling
Process observation (manufacturing)	On-site	Cannot verify physical processes remotely
Cleanroom/controlled environment	On-site	Environmental conditions require physical presence
Software system review	Remote	Screen-sharing is equivalent or better
Management interview	Either	Remote is acceptable
Supplier audit (critical)	On-site	Physical verification essential

ISO 42001 Clause	ISO 13485 Integration Point	Combined Requirement
4. Context of the organization	Clause 4.1 (General requirements)	Extend QMS scope to include AI-specific processes
5. Leadership	Clause 5 (Management responsibility)	AI governance within quality policy and objectives
6. Planning (AI risk assessment)	Clause 7.1 (Risk management planning)	Extend ISO 14971 risk management to AI-specific risks
7. Support (AI competence)	Clause 6.2 (Human resources)	Add AI/ML competency requirements to training matrix
8. Operation (AI lifecycle)	Clause 7.3 (Design and development)	Integrate AI development lifecycle into design controls
9. Performance evaluation	Clause 8 (Measurement, analysis)	Add AI performance metrics to quality monitoring
10. Improvement	Clause 8.5 (CAPA)	Include AI-related incidents in CAPA scope

ISO 13485 Design Control (Cl. 7.3)     ISO 42001 AI Lifecycle
─────────────────────────────────       ─────────────────────
Design Input (7.3.3)                    AI System Requirements
    ↓                                       ↓
Design Output (7.3.4)                   Data Collection & Preparation
    ↓                                   Model Architecture & Training
    ↓                                       ↓
Design Review (7.3.5)                   AI Model Validation Review
    ↓                                       ↓
Design Verification (7.3.6)            Model Verification (accuracy, bias)
    ↓                                       ↓
Design Validation (7.3.7)             Clinical Validation (real-world performance)
    ↓                                       ↓
Design Transfer (7.3.8)               Model Deployment & Monitoring
    ↓                                       ↓
Design Changes (7.3.9)                Model Retraining & Update Control

Qualification Criterion	Assessment Method	Minimum Requirement
Information security	ISO 27001 certificate or SOC 2 Type II report	Current certification for relevant scope
Data residency	Contractual agreement + architecture review	Data stored in jurisdictions compliant with regulations
Availability SLA	Service agreement review	99.9% uptime minimum for critical systems
Backup and recovery	Architecture review + test results	RPO < 4 hours, RTO < 8 hours for critical systems
Incident notification	Contract clause review	Notification within 24 hours of security incident
Audit rights	Contract clause	Right to audit or receive audit reports
Regulatory compliance	Vendor compliance documentation	GxP-qualified environments (if applicable)
Exit strategy	Data portability assessment	Documented data export capability in standard formats

Assessment Area	Category A (Critical)	Category B (Major)	Category C (Minor)
Quality system	ISO 13485 or ISO 9001 required	ISO 9001 preferred	Documented processes
Development process	IEC 62304 compliance evidence	SDLC documentation	Basic version control
Cybersecurity	IEC 81001-5-1 compliance	Security testing evidence	Basic security practices
Change management	Formal change control with notification	Release notes and notification	Version tracking
Validation support	IQ/OQ/PQ documentation provided	Functional test documentation	User documentation
Incident handling	SLA-based response with root cause	Defined support process	Best-effort support

Incident Type	CAPA Required?	Response Actions
Patient data breach	Yes — automatic	Contain → investigate → notify (GDPR 72h, HIPAA 60 days) → CAPA
Device vulnerability (exploitable)	Yes — automatic	Patch → verify → communicate → CAPA for root cause
Device vulnerability (not exploitable)	Evaluate	Risk assessment → mitigate if feasible → track
Malware on manufacturing system	Yes — automatic	Isolate → clean → verify product integrity → CAPA
Unauthorized access to QMS	Yes — automatic	Revoke access → assess impact → verify record integrity → CAPA
Supplier security incident	Evaluate	Assess impact on device/data → CAPA if product affected

Step 1: Incident Detection and Containment
        → Activate incident response plan
        → Contain threat and preserve evidence
        → Assess impact on product safety and quality

Step 2: Investigation (Root Cause Analysis)
        → Technical forensic analysis
        → 5 Whys + attack chain reconstruction
        → Identify QMS process failures that enabled the incident
        → Assess whether product quality was affected

Step 3: Corrective Actions
        → Technical: patch vulnerability, update security controls
        → Process: update SOPs, access controls, monitoring
        → People: security awareness training
        → Product: assess need for field safety corrective action (FSCA)

Step 4: Preventive Actions
        → Threat modeling review for similar attack vectors
        → Security control gap analysis
        → Supply chain security review (if applicable)
        → Update cybersecurity risk assessment

Step 5: Effectiveness Verification
        → Penetration testing to verify fix
        → Monitoring for recurrence (90-day window)
        → Review of updated security metrics
        → Close CAPA with evidence of effectiveness

Step 6: Regulatory Reporting (if required)
        → MDR vigilance report (if patient safety affected)
        → FDA MedWatch report (if applicable)
        → GDPR breach notification (if personal data involved)
        → NIS2 incident report (if essential entity)

Problem	Likely Cause	Resolution
Audit checklist generator returns empty output	Clause number not recognized	Use exact clause numbers from ISO 13485:2016 (e.g., `7.3`, `4.2.3`, `8.5.2`). Run with `--interactive` to see all available clauses.
System audit checklist is very large	`--audit-type system` includes all clauses	For targeted audits, use `--clause` or `--process` flags to generate focused checklists. System audits intentionally cover the full standard.
Gap analysis matrix shows all clauses as "Major" gaps	Assessment conducted against a greenfield organization	Prioritize gaps by regulatory criticality and product safety impact. Address Clauses 4.2, 7.3, 8.2.4, 8.3, and 8.5 first as these require mandatory documented procedures.
QMSR transition mapping unclear	QSR sections not aligned to ISO 13485 clauses	The QMSR (effective Feb 2, 2026) incorporates ISO 13485 by reference. Map QSR 21 CFR 820 sub-parts to ISO 13485 clauses using the QMSR Gap Analysis Checklist in this skill.
Supplier qualification score borderline (60-80)	Supplier meets some criteria but has gaps	Issue conditional approval with documented improvement requirements and a defined reassessment date. Increase monitoring frequency until the supplier exceeds the 80-point threshold.
Process validation protocol incomplete	IQ/OQ/PQ phases not clearly separated	Each qualification phase must have distinct objectives, acceptance criteria, and documented results. Use the Validation Documentation Requirements table as a template for protocol structure.
Design control audit questions not applicable	Organization does not perform design activities	ISO 13485 permits exclusion of Clause 7.3 if the organization does not design products. Document the exclusion justification in the Quality Manual per Clause 4.2.2.

Skill	Integration
quality-manager-qmr	QMR oversees QMS effectiveness; management review inputs include QMS process performance metrics
capa-officer	CAPA system (Clause 8.5) is a core QMS process; CAPA effectiveness feeds into management review
qms-audit-expert	Internal audit program (Clause 8.2.4) evaluates QMS processes; audit findings drive CAPA and improvement
quality-documentation-manager	Document and record control (Clause 4.2) provides the documentation foundation for the entire QMS
risk-management-specialist	ISO 14971 risk management integrates with design control (Clause 7.3) and product realization planning (Clause 7.1)
fda-consultant-specialist	QMSR alignment requires mapping FDA-specific requirements (MDR reporting, UDI, Part 11) beyond ISO 13485
regulatory-affairs-head	Regulatory strategy informs QMS scope, market-specific requirements, and certification timelines

Flag	Required	Description
`--clause`	No	ISO 13485 clause number to generate a clause-specific checklist (e.g., `7.3`, `4.2.3`, `8.5.2`)
`--process`	No	Process name for a process-based checklist (e.g., `design-control`, `purchasing`, `capa`)
`--audit-type`	No	Audit type: `system` for a full-system checklist covering all clauses
`--output`	No	Output format: `json` for structured output, omit for human-readable text
`--interactive`	No	Launch interactive mode for guided clause/process selection

Audit #	Process	Clauses	Q1	Q2	Q3	Q4	Auditor
IA-001	Document Control	4.2.3, 4.2.4	X				[Name]
IA-002	Management Review	5.6		X			[Name]
IA-003	Design Control	7.3		X			[Name]
IA-004	Production	7.5			X		[Name]
IA-005	CAPA	8.5.2, 8.5.3				X	[Name]

Criterion	Requirement
Training	ISO 13485 awareness + auditor training
Experience	Minimum 1 audit as observer
Independence	Not auditing own work area
Competence	Understanding of audited process

Category	Qualification	Monitoring	Agreement
A - Critical	On-site audit	Annual review	Quality agreement
B - Major	Questionnaire	Semi-annual review	Quality requirements
C - Minor	Assessment	Issue-based	Standard terms

Quality Manager Qms Iso13485

Table of Contents

Quality Manager Qms Iso13485

Table of Contents

QMS Implementation Workflow

Workflow: Initial QMS Implementation

Gap Analysis Matrix

QMS Structure

Required Procedure List

Document Control Workflow

Workflow: Document Creation and Approval

Document Numbering Convention

Area Codes

Document Change Control

Document Review Schedule

Internal Audit Workflow

Workflow: Annual Audit Program

Workflow: Individual Audit Execution

Audit Program Template

Auditor Qualification Requirements

Finding Classification Guide

Process Validation Workflow

Workflow: Process Validation Protocol

Validation Documentation Requirements

Revalidation Triggers

Special Process Examples

Supplier Qualification Workflow

Workflow: New Supplier Qualification

Supplier Evaluation Criteria

Supplier Category Requirements

Supplier Performance Metrics

QMS Process Reference

ISO 13485 Clause Structure

Management Review Required Inputs (Clause 5.6.2)

Record Retention Requirements

Decision Frameworks

Exclusion Justification (Clause 4.2.2)

Nonconformity Disposition Decision Tree

CAPA Initiation Criteria

Tools and References

Scripts

References

Quick Reference: Mandatory Documented Procedures

Related Skills

ISO 13485:2016 Alignment with FDA QMSR

QMSR Transition Impact on ISO 13485 QMS

FDA-Retained Requirements Beyond ISO 13485

QMSR Gap Analysis Checklist

Digital QMS Implementation

Electronic Document Management System (eDMS) Requirements

Electronic Signatures

Audit Trail Requirements

Cross-Reference: 21 CFR Part 11 / Annex 11

21 CFR Part 11 Requirements for Electronic Records

Annex 11 (EU GMP) Requirements

Remote Audit Considerations (Post-COVID)

Remote Audit Methodology

Remote Audit Best Practices

Hybrid Audit Model

Cross-Reference: ISO 42001 for AI-Enabled Medical Devices

ISO 42001 (AI Management System) Integration with ISO 13485

AI Lifecycle Integration with Design Controls

Supplier Qualification for Software/Cloud Providers

Cloud Service Provider Qualification

Software Supplier Assessment

CAPA Integration with Cybersecurity Incidents

Cybersecurity Incident as CAPA Trigger

Cybersecurity CAPA Process

ISO 13485 Enhanced — QMSR, Digital QMS & Cross-Framework Integration

ISO 13485:2016 Alignment with FDA QMSR

Digital QMS Implementation

Remote Audit Considerations

AI-Enabled Medical Device QMS

Supplier Qualification for Software/Cloud Providers

Troubleshooting

Success Criteria

Scope & Limitations

Integration Points

Tool Reference

qms_audit_checklist.py