OpenSkillIndex← back to search
claude-code

Claude-Skills fda-consultant-specialist

install
source · Clone the upstream repo
git clone https://github.com/borghei/Claude-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/borghei/Claude-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/ra-qm-team/fda-consultant-specialist" ~/.claude/skills/borghei-claude-skills-fda-consultant-specialist && rm -rf "$T"
manifest: ra-qm-team/fda-consultant-specialist/SKILL.md
source content

FDA Consultant Specialist

FDA regulatory consulting for medical device manufacturers covering submission pathways, Quality System Regulation (QSR), HIPAA compliance, and device cybersecurity requirements.

Table of Contents

FDA Pathway Selection

Determine the appropriate FDA regulatory pathway based on device classification and predicate availability.

Decision Framework

Predicate device exists?
├── YES → Substantially equivalent?
│   ├── YES → 510(k) Pathway
│   │   ├── No design changes → Abbreviated 510(k)
│   │   ├── Manufacturing only → Special 510(k)
│   │   └── Design/performance → Traditional 510(k)
│   └── NO → PMA or De Novo
└── NO → Novel device?
    ├── Low-to-moderate risk → De Novo
    └── High risk (Class III) → PMA

Pathway Comparison

PathwayWhen to UseTimelineCost
510(k) TraditionalPredicate exists, design changes90 days$21,760
510(k) SpecialManufacturing changes only30 days$21,760
510(k) AbbreviatedGuidance/standard conformance30 days$21,760
De NovoNovel, low-moderate risk150 days$134,676
PMAClass III, no predicate180+ days$425,000+

Pre-Submission Strategy

  1. Identify product code and classification
  2. Search 510(k) database for predicates
  3. Assess substantial equivalence feasibility
  4. Prepare Q-Sub questions for FDA
  5. Schedule Pre-Sub meeting if needed

Reference: See fda_submission_guide.md for pathway decision matrices and submission requirements.

510(k) Submission Process

Workflow

Phase 1: Planning
├── Step 1: Identify predicate device(s)
├── Step 2: Compare intended use and technology
├── Step 3: Determine testing requirements
└── Checkpoint: SE argument feasible?

Phase 2: Preparation
├── Step 4: Complete performance testing
├── Step 5: Prepare device description
├── Step 6: Document SE comparison
├── Step 7: Finalize labeling
└── Checkpoint: All required sections complete?

Phase 3: Submission
├── Step 8: Assemble submission package
├── Step 9: Submit via eSTAR
├── Step 10: Track acknowledgment
└── Checkpoint: Submission accepted?

Phase 4: Review
├── Step 11: Monitor review status
├── Step 12: Respond to AI requests
├── Step 13: Receive decision
└── Verification: SE letter received?

Required Sections (21 CFR 807.87)

SectionContent
Cover LetterSubmission type, device ID, contact info
Form 3514CDRH premarket review cover sheet
Device DescriptionPhysical description, principles of operation
Indications for UseForm 3881, patient population, use environment
SE ComparisonSide-by-side comparison with predicate
Performance TestingBench, biocompatibility, electrical safety
Software DocumentationLevel of concern, hazard analysis (IEC 62304)
LabelingIFU, package labels, warnings
510(k) SummaryPublic summary of submission

Common RTA Issues

IssuePrevention
Missing user feeVerify payment before submission
Incomplete Form 3514Review all fields, ensure signature
No predicate identifiedConfirm K-number in FDA database
Inadequate SE comparisonAddress all technological characteristics

QSR Compliance

Quality System Regulation (21 CFR Part 820) requirements for medical device manufacturers.

Key Subsystems

SectionTitleFocus
820.20Management ResponsibilityQuality policy, org structure, management review
820.30Design ControlsInput, output, review, verification, validation
820.40Document ControlsApproval, distribution, change control
820.50Purchasing ControlsSupplier qualification, purchasing data
820.70Production ControlsProcess validation, environmental controls
820.100CAPARoot cause analysis, corrective actions
820.181Device Master RecordSpecifications, procedures, acceptance criteria

Design Controls Workflow (820.30)

Step 1: Design Input
└── Capture user needs, intended use, regulatory requirements
    Verification: Inputs reviewed and approved?

Step 2: Design Output
└── Create specifications, drawings, software architecture
    Verification: Outputs traceable to inputs?

Step 3: Design Review
└── Conduct reviews at each phase milestone
    Verification: Review records with signatures?

Step 4: Design Verification
└── Perform testing against specifications
    Verification: All tests pass acceptance criteria?

Step 5: Design Validation
└── Confirm device meets user needs in actual use conditions
    Verification: Validation report approved?

Step 6: Design Transfer
└── Release to production with DMR complete
    Verification: Transfer checklist complete?

CAPA Process (820.100)

  1. Identify: Document nonconformity or potential problem
  2. Investigate: Perform root cause analysis (5 Whys, Fishbone)
  3. Plan: Define corrective/preventive actions
  4. Implement: Execute actions, update documentation
  5. Verify: Confirm implementation complete
  6. Effectiveness: Monitor for recurrence (30-90 days)
  7. Close: Management approval and closure

Reference: See qsr_compliance_requirements.md for detailed QSR implementation guidance.

HIPAA for Medical Devices

HIPAA requirements for devices that create, store, transmit, or access Protected Health Information (PHI).

Applicability

Device TypeHIPAA Applies
Standalone diagnostic (no data transmission)No
Connected device transmitting patient dataYes
Device with EHR integrationYes
SaMD storing patient informationYes
Wellness app (no diagnosis)Only if stores PHI

Required Safeguards

Administrative (§164.308)
├── Security officer designation
├── Risk analysis and management
├── Workforce training
├── Incident response procedures
└── Business associate agreements

Physical (§164.310)
├── Facility access controls
├── Workstation security
└── Device disposal procedures

Technical (§164.312)
├── Access control (unique IDs, auto-logoff)
├── Audit controls (logging)
├── Integrity controls (checksums, hashes)
├── Authentication (MFA recommended)
└── Transmission security (TLS 1.2+)

Risk Assessment Steps

  1. Inventory all systems handling ePHI
  2. Document data flows (collection, storage, transmission)
  3. Identify threats and vulnerabilities
  4. Assess likelihood and impact
  5. Determine risk levels
  6. Implement controls
  7. Document residual risk

Reference: See hipaa_compliance_framework.md for implementation checklists and BAA templates.

Device Cybersecurity

FDA cybersecurity requirements for connected medical devices.

Premarket Requirements

ElementDescription
Threat ModelSTRIDE analysis, attack trees, trust boundaries
Security ControlsAuthentication, encryption, access control
SBOMSoftware Bill of Materials (CycloneDX or SPDX)
Security TestingPenetration testing, vulnerability scanning
Vulnerability PlanDisclosure process, patch management

Device Tier Classification

Tier 1 (Higher Risk):

  • Connects to network/internet
  • Cybersecurity incident could cause patient harm

Tier 2 (Standard Risk):

  • All other connected devices

Postmarket Obligations

  1. Monitor NVD and ICS-CERT for vulnerabilities
  2. Assess applicability to device components
  3. Develop and test patches
  4. Communicate with customers
  5. Report to FDA per guidance

Coordinated Vulnerability Disclosure

Researcher Report
    ↓
Acknowledgment (48 hours)
    ↓
Initial Assessment (5 days)
    ↓
Fix Development
    ↓
Coordinated Public Disclosure

Reference: See device_cybersecurity_guidance.md for SBOM format examples and threat modeling templates.

Resources

scripts/

ScriptPurpose
fda_submission_tracker.py
Track 510(k)/PMA/De Novo submission milestones and timelines
qsr_compliance_checker.py
Assess 21 CFR 820 compliance against project documentation
hipaa_risk_assessment.py
Evaluate HIPAA safeguards in medical device software

references/

FileContent
fda_submission_guide.md
510(k), De Novo, PMA submission requirements and checklists
qsr_compliance_requirements.md
21 CFR 820 implementation guide with templates
hipaa_compliance_framework.md
HIPAA Security Rule safeguards and BAA requirements
device_cybersecurity_guidance.md
FDA cybersecurity requirements, SBOM, threat modeling
fda_capa_requirements.md
CAPA process, root cause analysis, effectiveness verification

Usage Examples

# Track FDA submission status
python scripts/fda_submission_tracker.py /path/to/project --type 510k

# Assess QSR compliance
python scripts/qsr_compliance_checker.py /path/to/project --section 820.30

# Run HIPAA risk assessment
python scripts/hipaa_risk_assessment.py /path/to/project --category technical

FDA QMSR — Quality Management System Regulation

Transition from QSR (21 CFR 820) to QMSR

The FDA finalized the Quality Management System Regulation (QMSR) in January 2024, replacing the legacy Quality System Regulation (QSR) with ISO 13485:2016 alignment. The rule became effective February 2, 2026.

AspectLegacy QSR (21 CFR 820)QMSR (Effective Feb 2026)
FrameworkFDA-specific prescriptive requirementsIncorporates ISO 13485:2016 by reference
Design controls820.30 (FDA-specific)ISO 13485 Clause 7.3
CAPA820.100ISO 13485 Clause 8.5
Document control820.40ISO 13485 Clause 4.2
Management responsibility820.20ISO 13485 Clause 5
Purchasing controls820.50ISO 13485 Clause 7.4

Key differences under QMSR:

  • ISO 13485:2016 is incorporated by reference as the primary QMS standard
  • FDA retains certain device-specific requirements not covered by ISO 13485 (e.g., complaint handling per 21 CFR 820.198)
  • Organizations already ISO 13485 certified have a significant head start
  • No separate FDA registration for QMS — single system serves both ISO and FDA

QMSR Transition Checklist

  • Gap analysis: ISO 13485:2016 vs. current QSR compliance
  • Update Quality Manual to reference ISO 13485 clause structure
  • Map existing SOPs to ISO 13485 clauses
  • Address FDA-specific retained requirements (complaint handling, MDR reporting)
  • Train staff on ISO 13485 terminology and structure
  • Update supplier agreements to reference new regulatory framework
  • Conduct internal audit against QMSR requirements
  • Update design history files to ISO 13485 Clause 7.3 format

AI/ML-Based Software as Medical Device (SaMD)

FDA AI/ML SaMD Framework

CategoryDescriptionFDA Pathway
Locked algorithmAlgorithm does not change after deploymentStandard 510(k)/De Novo/PMA
Adaptive algorithm (PCCP)Algorithm learns and changes with usePredetermined Change Control Plan
Continuously learningReal-time adaptation from new dataCase-by-case; PCCP required

AI/ML SaMD Submission Requirements

AI/ML SaMD Submission Package
├── Algorithm description and architecture
├── Training data characterization
│   ├── Data sources and collection methods
│   ├── Demographics and representativeness
│   ├── Data quality and labeling methodology
│   └── Training/validation/test split rationale
├── Performance evaluation
│   ├── Pre-specified performance goals
│   ├── Standalone performance metrics (sensitivity, specificity, AUC)
│   ├── Subgroup analysis (age, sex, race, site)
│   └── Real-world performance data (if available)
├── Reference standard justification
├── Predetermined Change Control Plan (if adaptive)
├── Human factors / user interface
├── Cybersecurity documentation
└── Software documentation per IEC 62304

Good Machine Learning Practice (GMLP) Principles

  1. Multi-disciplinary expertise throughout product lifecycle
  2. Good software engineering and security practices
  3. Representative training and test datasets
  4. Independent test datasets separate from training
  5. Reference datasets based on best available methods
  6. Model design tailored to available data and intended use
  7. Focus on performance of human-AI team
  8. Clinical study testing demonstrates real-world performance
  9. Users provided clear, essential information
  10. Deployed models monitored for performance with retraining managed

Predetermined Change Control Plan (PCCP) for AI/ML Devices

PCCP Structure

SectionContentEvidence
Description of modificationsTypes of changes the algorithm will makeChange specification document
Modification protocolHow changes will be developed and testedValidation protocol
Impact assessmentHow each change type affects safety and effectivenessRisk analysis per change type
Performance monitoringOngoing real-world performance trackingMonitoring plan with metrics
Update verificationHow each update will be verified before deploymentVerification and validation plan
TransparencyHow users will be notified of changesCommunication plan

PCCP Change Categories

CategoryExampleVerification Level
Performance improvementRetrained model with additional dataAutomated testing + clinical validation
Input adaptationNew imaging modality supportFull V&V cycle
Output modificationNew risk categories or confidence levelsClinical study
Architecture changeModel architecture updateNew submission (510(k)/PMA supplement)

Enhanced Cybersecurity Requirements (PATCH Act)

The PATCH Act (effective March 2023, codified in FD&C Act §524B) requires:

RequirementDetailsEvidence
Cybersecurity planSubmit plan to monitor, identify, and address vulnerabilitiesPremarket submission section
SBOMSoftware Bill of Materials including commercial, open-source, off-the-shelf componentsCycloneDX or SPDX format
Patch/update capabilityDesign device to be patchable throughout lifecycleArchitecture documentation
Coordinated vulnerability disclosureEstablish and maintain CVD processPublished security policy
Postmarket updatesProvide patches and updates in a reasonably justified cyclePatch management plan

Cybersecurity Documentation for Premarket Submissions

Cybersecurity Premarket Package
├── Security risk assessment
│   ├── Threat model (STRIDE or equivalent)
│   ├── Security risk analysis per AAMI TIR57
│   └── Attack surface analysis
├── Security architecture
│   ├── Security controls implementation
│   ├── Cryptographic architecture
│   └── Network architecture and trust boundaries
├── SBOM (Software Bill of Materials)
│   ├── All software components (commercial, open-source, custom)
│   ├── Version information
│   └── Known vulnerability status
├── Security testing
│   ├── Static analysis (SAST)
│   ├── Dynamic analysis (DAST)
│   ├── Penetration testing report
│   ├── Fuzz testing results
│   └── Vulnerability scanning results
├── Lifecycle security plan
│   ├── Patch management process
│   ├── End-of-life/end-of-support plan
│   └── Customer communication plan
└── Coordinated vulnerability disclosure policy

Cross-Reference: EU AI Act for AI Medical Devices

AI-enabled medical devices must comply with both FDA requirements and EU AI Act when marketed in both jurisdictions:

AspectFDA ApproachEU AI Act ApproachHarmonization Strategy
Risk classificationSaMD risk framework (IMDRF)Annex III high-risk (medical devices)Map to both frameworks; use higher standard
TransparencyLabeling requirementsArt. 13 transparency obligationsUnified transparency documentation
Data governanceGMLP principlesArt. 10 data and data governanceComprehensive data quality program
Human oversightHuman factors per IEC 62366Art. 14 human oversightIntegrated human factors + oversight design
Post-marketReal-world performance monitoringArt. 72 post-market monitoringSingle monitoring system serving both
Technical documentationFDA premarket submissionAnnex IV technical documentationUnified technical file

See also: 

../mdr-745-specialist/SKILL.md
for EU MDR classification of AI/ML medical devices and 
../risk-management-specialist/SKILL.md
for ISO 14971 risk management for AI devices.

Updated 510(k) Electronic Submission Requirements (eSTAR)

eSTAR Mandate

As of October 1, 2023, FDA requires all 510(k) submissions to use the eSTAR template format. Paper submissions are no longer accepted.

eSTAR RequirementDetails
TemplateFDA eSTAR template (fillable PDF)
FormatStructured data fields + attachments
AttachmentsPDF/A format, bookmarked, OCR-searchable
File namingFDA naming convention required
Submission portalCDRH Customer Collaboration Portal or FDA ESG
Maximum file size100MB per individual file; no total limit

eSTAR Section Mapping

eSTAR SectionContentCommon Deficiencies
AdministrativeCover letter, user fee, truthful/accurate statementMissing signatures, incorrect fee
Device DescriptionComplete device description with images/diagramsInsufficient detail, missing accessories
Substantial EquivalencePredicate comparison tableIncomplete comparison criteria
Performance TestingAll test reports with summariesMissing acceptance criteria, incomplete protocols
SoftwareLevel of concern, hazard analysis, architectureOutdated IEC 62304 compliance
BiocompatibilityISO 10993 evaluation or testingMissing risk assessment, incomplete contact analysis
SterilitySterilization validation summaryMissing reprocessing instructions (reusable devices)
LabelingDevice labels, IFU, patient materialsNon-compliant with 21 CFR 801
EMC/Electrical SafetyIEC 60601-1 complianceMissing particular standards
ClinicalClinical data summary (if applicable)Insufficient clinical evidence for new indications

Cross-Framework: FDA ↔ MDR ↔ ISO 13485 Mapping

Process AreaFDA (QMSR/QSR)EU MDR 2017/745ISO 13485:2016
Quality management system21 CFR 820 / QMSRAnnex IX, Annex XIClause 4
Management responsibility820.20 / ISO 13485 Cl. 5Annex IX §2.2Clause 5
Design controls820.30 / ISO 13485 Cl. 7.3Annex II §6.1, GSPRClause 7.3
Document control820.40 / ISO 13485 Cl. 4.2Annex IX §2.3Clause 4.2
Purchasing820.50 / ISO 13485 Cl. 7.4Annex IX §2.4Clause 7.4
Production820.70 / ISO 13485 Cl. 7.5Annex IX §2.5Clause 7.5
CAPA820.100 / ISO 13485 Cl. 8.5Art. 83 (PMS), Art. 89 (FSCA)Clause 8.5
Risk management820.30(g) / ISO 14971Annex I (GSPR), ISO 14971Clause 7.1
Clinical evidence820.30(f) / clinical dataAnnex XIV (clinical evaluation)N/A (separate)
Post-market820.198 / MDR/MedWatchArt. 83-86 (PMS), Art. 87-92 (vigilance)Clause 8.2.1-8.2.3
Labeling21 CFR 801Art. 10-13, Annex I Ch. IIIN/A (separate)
UDI21 CFR 830 (FDA UDI)Art. 27-29 (UDI-DI/PI)N/A (separate)
Cybersecurity§524B FD&C (PATCH Act)MDCG 2019-16N/A (separate)
AI/ML devicesAI/ML SaMD framework + PCCPEU AI Act + MDRISO 13485 + ISO 42001

Cross-references: See 

../quality-manager-qms-iso13485/SKILL.md
for ISO 13485 implementation aligned with QMSR, and 
../mdr-745-specialist/SKILL.md
for EU MDR technical documentation requirements.

FDA Regulatory Updates & Cross-Framework Integration

FDA QMSR — Quality Management System Regulation

The FDA is aligning 21 CFR Part 820 with ISO 13485:2016 through the Quality Management System Regulation (QMSR), effective February 2, 2026:

  • Key Change: QSR (21 CFR 820) replaced by ISO 13485 as the recognized quality system standard
  • Impact: Manufacturers must comply with ISO 13485:2016 instead of QSR-specific requirements
  • Design Controls: ISO 13485 Clause 7.3 replaces 820.30
  • CAPA: ISO 13485 Clause 8.5 replaces 820.90/820.100
  • Transition: FDA accepting both QSR and QMSR during transition period

AI/ML-Based Software as Medical Device (SaMD)

  • Predetermined Change Control Plan (PCCP): Required for AI/ML devices that learn and adapt
  • Good Machine Learning Practice (GMLP): FDA's 10 guiding principles for AI/ML in medical devices
  • Transparency: Clear labeling of AI/ML-based functionality and limitations
  • Real-World Performance: Post-market monitoring of AI model performance drift
  • Cross-reference: See 
    eu-ai-act-specialist
    for EU AI Act requirements for AI medical devices

Enhanced Cybersecurity Requirements (PATCH Act)

  • Premarket Submissions: Cybersecurity documentation required for all connected devices
  • Software Bill of Materials (SBOM): Mandatory for all premarket submissions
  • Coordinated Vulnerability Disclosure: Required policy for all connected device manufacturers
  • Postmarket Patches: Cybersecurity patches exempt from 510(k) requirements
  • Cross-reference: See 
    infrastructure-compliance-auditor
    for technical cybersecurity checks

Cross-Framework Mapping (FDA ↔ MDR ↔ ISO 13485)

AreaFDA (QSR/QMSR)EU MDR 2017/745ISO 13485:2016
Design Controls820.30 / QMSRAnnex IIClause 7.3
Risk Management820.30(g)Annex I GSPRISO 14971
Clinical Evidence820.30(f)Annex XIVClause 7.3.7
CAPA820.90/100Art. 83, 89Clause 8.5
Post-Market822, MDRChapter VIIClause 8.2.1
CybersecurityFDA GuidanceMDCG 2019-16IEC 62443
AI/MLPCCP FrameworkEU AI ActISO 42001

Troubleshooting

ProblemPossible CauseResolution
510(k) submission returned as RTA (Refuse to Accept)Missing user fee, incomplete Form 3514, no predicate identified, or inadequate SE comparisonReview the RTA checklist per FDA guidance; verify payment, complete all eSTAR fields, confirm K-number in FDA database, and address all technological characteristics in SE comparison
QSR compliance checker shows gaps in design controls (820.30)Design History File incomplete or not aligned with ISO 13485 Clause 7.3 under QMSRMap existing DHF to ISO 13485 Clause 7.3 structure; ensure design inputs, outputs, reviews, verification, and validation are documented with traceability
HIPAA risk assessment returns low score for technical safeguardsMissing encryption at rest/transit, no MFA implementation, or audit logging not enabledImplement AES-256 encryption at rest, TLS 1.2+ in transit, MFA for all users with ePHI access, and comprehensive audit logging; run 
hipaa_risk_assessment.py
with 
--category technical
to validate
FDA AI request (Additional Information) received during 510(k) reviewPerformance testing insufficient, SE argument incomplete, or software documentation gapsRespond within 180 days; address each question specifically; supplement with additional test data, clinical evidence, or software documentation per IEC 62304
QMSR transition gap analysis reveals significant differencesOrganization structured QMS around legacy 21 CFR 820 rather than ISO 13485Conduct systematic gap analysis mapping 820 subsections to ISO 13485 clauses; prioritize complaint handling (retained FDA requirement), risk-based evidence across all processes, and updated Quality Manual
Cybersecurity documentation rejected in premarket submissionSBOM incomplete, threat model missing, or coordinated vulnerability disclosure policy not publishedGenerate comprehensive SBOM in CycloneDX or SPDX format; complete STRIDE threat model per AAMI TIR57; publish CVD policy; document patch management lifecycle plan
AI/ML SaMD submission lacks Predetermined Change Control PlanAdaptive algorithm deployed without PCCP frameworkDevelop PCCP covering modification types, validation protocol, impact assessment, performance monitoring, and user notification plan; include all four change categories with appropriate verification levels

Success Criteria

  • 510(k) submission accepted on first attempt -- zero RTA deficiencies, with all eSTAR sections complete, user fee verified, predicate identified, and SE comparison addressing all technological characteristics
  • QSR/QMSR compliance score above 85% -- as measured by 
    qsr_compliance_checker.py
    , with all critical subsections (design controls, CAPA, document control) showing evidence of implementation
  • HIPAA technical safeguards fully implemented -- AES-256 encryption at rest, TLS 1.2+ in transit, MFA enforced, audit controls active, and automatic logoff configured for all systems handling ePHI
  • FDA submission timeline targets met -- 510(k) traditional within 90 days, De Novo within 150 days, PMA within 180 days, tracked via 
    fda_submission_tracker.py
    milestones
  • QMSR transition completed -- Quality Manual references ISO 13485 clause structure, all SOPs mapped, FDA-specific retained requirements addressed, and internal audit conducted against QMSR requirements
  • Cybersecurity documentation complete for all connected devices -- SBOM, threat model, security testing reports, vulnerability disclosure policy, and patch management plan included in premarket submissions

Scope & Limitations

In Scope:

  • FDA regulatory pathway selection (510(k), De Novo, PMA) with decision framework and comparison
  • 510(k) submission process including eSTAR requirements, SE comparison, and RTA prevention
  • Quality System Regulation (21 CFR 820) and QMSR (ISO 13485:2016 alignment) compliance assessment
  • HIPAA Security Rule safeguard evaluation for medical device software
  • Device cybersecurity requirements including SBOM, threat modeling, and PATCH Act compliance
  • AI/ML SaMD framework including PCCP, GMLP principles, and training data characterization
  • Cross-framework mapping between FDA, EU MDR, and ISO 13485

Out of Scope:

  • Preparation or writing of actual FDA submission documents -- this skill provides frameworks and gap analysis, not document authoring
  • Clinical trial design, execution, or statistical analysis for PMA clinical data
  • FDA establishment registration, device listing, or UDI system implementation
  • Post-market surveillance reporting (MDR, MedWatch) beyond process guidance
  • De novo classification request scientific review preparation
  • Direct interaction with FDA reviewers or Pre-Submission (Q-Sub) meeting facilitation

Important Notes:

  • The QMSR became effective February 2, 2026 -- all manufacturers must now comply with ISO 13485:2016 as incorporated by reference, with FDA-specific retained requirements
  • The Quality System Inspection Technique (QSIT) has been withdrawn and replaced with updated inspection procedures under Compliance Program 7382.850
  • Risk-based thinking is now expected across all QMS processes under QMSR, not just design controls

Integration Points

SkillIntegrationWhen to Use
quality-manager-qms-iso13485
ISO 13485 QMS implementation aligned with QMSR; process management and supplier qualificationWhen implementing QMS satisfying both ISO 13485 certification and FDA QMSR requirements
mdr-745-specialist
Cross-framework mapping for dual US/EU market submissions; technical documentation alignmentWhen medical device requires both FDA clearance/approval and EU MDR CE marking
capa-officer
CAPA process management per ISO 13485 Clause 8.5 (replacing legacy 820.100 under QMSR)When managing corrective and preventive actions within the FDA quality system
risk-management-specialist
ISO 14971 risk management integrated with design controls and cybersecurity risk assessmentWhen conducting risk analysis for premarket submissions per 820.30(g) and AAMI TIR57
eu-ai-act-specialist
Cross-jurisdictional AI/ML compliance for devices marketed in both US and EUWhen AI-enabled medical device requires both FDA PCCP framework and EU AI Act conformity assessment
infrastructure-compliance-auditor
Technical cybersecurity validation for connected device security controlsWhen documenting cybersecurity architecture and SBOM for premarket submissions

Tool Reference

fda_submission_tracker.py

Tracks FDA submission milestones and calculates regulatory timelines for 510(k), De Novo, and PMA pathways.

FlagRequiredDescription
<project_dir>
YesPath to project directory containing submission documents
--type <pathway>
NoSubmission type: 
510k
(default), 
de_novo
, 
pma
, 
pma_supplement
--json
NoOutput results in JSON format

Output: Milestone tracking with completion status, timeline calculations against FDA review goals, phase progress (planning, preparation, submission, review, decision), and overdue milestone alerts.

qsr_compliance_checker.py

Assesses compliance with 21 CFR Part 820 / QMSR by analyzing project documentation for evidence of implementation.

FlagRequiredDescription
<project_dir>
YesPath to project directory containing QMS documentation
--section <section>
NoCheck specific QSR section (e.g., 
820.30
for design controls, 
820.100
for CAPA)
--json
NoOutput results in JSON format

Output: Per-section compliance status, evidence found (document patterns and keyword matches), compliance percentage, gap identification with required evidence descriptions.

hipaa_risk_assessment.py

Evaluates HIPAA Security Rule safeguards for medical device software and connected devices.

FlagRequiredDescription
<project_dir>
YesPath to project directory for assessment
--category <cat>
NoAssess specific category: 
administrative
, 
physical
, 
technical
, or all (default)
--json
NoOutput results in JSON format

Output: Per-safeguard compliance status across administrative (Section 164.308), physical (Section 164.310), and technical (Section 164.312) categories, with weighted scoring, evidence detection, and remediation recommendations.