Claude-Skills quality-manager-qms-iso13485

install

source · Clone the upstream repo

git clone https://github.com/borghei/Claude-Skills

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/borghei/Claude-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/ra-qm-team/quality-manager-qms-iso13485" ~/.claude/skills/borghei-claude-skills-quality-manager-qms-iso13485 && rm -rf "$T"

manifest: ra-qm-team/quality-manager-qms-iso13485/SKILL.md

source content

Quality Manager - QMS ISO 13485 Specialist

ISO 13485:2016 Quality Management System implementation, maintenance, and certification support for medical device organizations.

QMS Implementation Workflow
Document Control Workflow
Internal Audit Workflow
Process Validation Workflow
Supplier Qualification Workflow
QMS Process Reference
Decision Frameworks
Tools and References

QMS Implementation Workflow

Implement ISO 13485:2016 compliant quality management system from gap analysis through certification.

Workflow: Initial QMS Implementation

Conduct gap analysis against ISO 13485:2016 requirements
Document current state vs. required state for each clause
Prioritize gaps by:
- Regulatory criticality
- Risk to product safety
- Resource requirements
Develop implementation roadmap with milestones
Establish Quality Manual per Clause 4.2.2:
- QMS scope with justified exclusions
- Process interactions
- Procedure references
Create required documented procedures:
- Document control (4.2.3)
- Record control (4.2.4)
- Internal audit (8.2.4)
- Nonconforming product (8.3)
- Corrective action (8.5.2)
- Preventive action (8.5.3)
Deploy processes with training
Validation: Gap analysis complete; Quality Manual approved; all required procedures documented and trained

Gap Analysis Matrix

Clause	Requirement	Current State	Gap	Priority	Action
4.2.2	Quality Manual	Not documented	Major	High	Create QM
4.2.3	Document control	Informal	Moderate	High	Formalize SOP
5.6	Management review	Ad hoc	Major	High	Establish schedule
7.3	Design control	Partial	Moderate	Medium	Complete procedures
8.2.4	Internal audit	None	Major	High	Create program

QMS Structure

Level	Document Type	Purpose	Example
1	Quality Manual	QMS overview, policy	QM-001
2	Procedures	How processes work	SOP-02-001
3	Work Instructions	Task-level detail	WI-06-012
4	Records	Evidence of conformity	Training records

Required Procedure List

Clause	Procedure	Minimum Content
4.2.3	Document Control	Approval, review, distribution, obsolete control
4.2.4	Record Control	Identification, storage, retention, disposal
8.2.4	Internal Audit	Program, auditor qualification, reporting
8.3	Nonconforming Product	Identification, segregation, disposition
8.5.2	Corrective Action	Investigation, root cause, effectiveness
8.5.3	Preventive Action	Risk identification, implementation, verification

Document Control Workflow

Establish and maintain document control per ISO 13485 Clause 4.2.3.

Workflow: Document Creation and Approval

Identify need for new document or revision
Assign document number per numbering convention:
- Format:
```
[TYPE]-[AREA]-[SEQUENCE]-[REV]
```
- Example:
```
SOP-02-001-01
```
Draft document using approved template
Route for review to subject matter experts
Collect and address review comments
Obtain required approvals based on document type
Update Document Master List
Validation: Document numbered correctly; all reviewers signed; Master List updated

Document Numbering Convention

Prefix	Document Type	Approval Authority
QM	Quality Manual	Management Rep + CEO
POL	Policy	Department Head + QA
SOP	Procedure	Process Owner + QA
WI	Work Instruction	Supervisor + QA
TF	Template/Form	Process Owner
SPEC	Specification	Engineering + QA

Area Codes

Code	Area	Examples
01	Quality Management	Quality Manual, policy
02	Document Control	This procedure
03	Training	Competency procedures
04	Design	Design control
05	Purchasing	Supplier management
06	Production	Manufacturing
07	Quality Control	Inspection, testing
08	CAPA	Corrective actions

Document Change Control

Change Type	Approval Level	Examples
Administrative	Document Control	Typos, formatting
Minor	Process Owner + QA	Clarifications
Major	Full review cycle	Process changes
Emergency	Expedited + retrospective	Safety issues

Document Review Schedule

Document Type	Review Period	Trigger for Unscheduled Review
Quality Manual	Annual	Organizational change
Procedures	Annual	Audit finding, regulation change
Work Instructions	2 years	Process change
Forms	2 years	User feedback

Internal Audit Workflow

Plan and execute internal audits per ISO 13485 Clause 8.2.4.

Workflow: Annual Audit Program

Identify processes and areas requiring audit coverage
Assess risk factors for audit frequency:
- Previous audit findings
- Regulatory changes
- Process changes
- Complaint trends
Assign qualified auditors (independent of area audited)
Develop annual audit schedule
Obtain management approval
Communicate schedule to process owners
Track completion and reschedule as needed
Validation: All processes covered; auditors qualified and independent; schedule approved

Workflow: Individual Audit Execution

Prepare audit plan with scope, criteria, and schedule
Notify auditee minimum 1 week prior
Review procedures and previous audit results
Prepare audit checklist
Conduct opening meeting
Collect evidence through:
- Document review
- Record sampling
- Process observation
- Personnel interviews
Classify findings:
- Major NC: Absence or breakdown of system
- Minor NC: Single lapse or deviation
- Observation: Risk of future NC
Conduct closing meeting
Issue audit report within 5 business days
Validation: All checklist items addressed; findings supported by evidence; report distributed

Audit Program Template

Audit #	Process	Clauses	Q1	Q2	Q3	Q4	Auditor
IA-001	Document Control	4.2.3, 4.2.4	X				[Name]
IA-002	Management Review	5.6		X			[Name]
IA-003	Design Control	7.3		X			[Name]
IA-004	Production	7.5			X		[Name]
IA-005	CAPA	8.5.2, 8.5.3				X	[Name]

Auditor Qualification Requirements

Criterion	Requirement
Training	ISO 13485 awareness + auditor training
Experience	Minimum 1 audit as observer
Independence	Not auditing own work area
Competence	Understanding of audited process

Finding Classification Guide

Classification	Criteria	Response Time
Major NC	System absence, total breakdown, regulatory violation	30 days for CAPA
Minor NC	Single instance, partial compliance	60 days for CAPA
Observation	Potential risk, improvement opportunity	Track in next audit

Process Validation Workflow

Validate special processes per ISO 13485 Clause 7.5.6.

Workflow: Process Validation Protocol

Identify processes requiring validation:
- Output cannot be verified by inspection
- Deficiencies appear only in use
- Sterilization, welding, sealing, software
Form validation team with subject matter experts
Write validation protocol including:
- Process description and parameters
- Equipment and materials
- Acceptance criteria
- Statistical approach
Execute Installation Qualification (IQ):
- Verify equipment installed correctly
- Document equipment specifications
Execute Operational Qualification (OQ):
- Test parameter ranges
- Verify process control
Execute Performance Qualification (PQ):
- Run production conditions
- Verify output meets requirements
Write validation report with conclusions
Validation: IQ/OQ/PQ complete; acceptance criteria met; validation report approved

Validation Documentation Requirements

Phase	Content	Evidence
Protocol	Objectives, methods, criteria	Approved protocol
IQ	Equipment verification	Installation records
OQ	Parameter verification	Test results
PQ	Performance verification	Production data
Report	Summary, conclusions	Approval signatures

Revalidation Triggers

Trigger	Action Required
Equipment change	Assess impact, revalidate affected phases
Parameter change	OQ and PQ minimum
Material change	Assess impact, PQ minimum
Process failure	Full revalidation
Periodic	Per validation schedule (typically 3 years)

Special Process Examples

Process	Validation Standard	Critical Parameters
EO Sterilization	ISO 11135	Temperature, humidity, EO concentration, time
Steam Sterilization	ISO 17665	Temperature, pressure, time
Radiation Sterilization	ISO 11137	Dose, dose uniformity
Sealing	Internal	Temperature, pressure, dwell time
Welding	ISO 11607	Heat, pressure, speed

Supplier Qualification Workflow

Evaluate and approve suppliers per ISO 13485 Clause 7.4.

Workflow: New Supplier Qualification

Identify supplier category:
- Category A: Critical (affects safety/performance)
- Category B: Major (affects quality)
- Category C: Minor (indirect impact)
Request supplier information:
- Quality certifications
- Product specifications
- Quality history
Evaluate supplier based on:
- Quality system (ISO certification)
- Technical capability
- Quality history
- Financial stability
For Category A suppliers:
- Conduct on-site audit
- Require quality agreement
Calculate qualification score
Make approval decision:
- 80: Approved
- 60-80: Conditional approval
- <60: Not approved
Add to Approved Supplier List
Validation: Evaluation criteria scored; qualification records complete; supplier categorized

Supplier Evaluation Criteria

Criterion	Weight	Scoring
Quality System	30%	ISO 13485=30, ISO 9001=20, Documented=10, None=0
Quality History	25%	Reject rate: <1%=25, 1-3%=15, >3%=0
Delivery	20%	On-time: >95%=20, 90-95%=10, <90%=0
Technical Capability	15%	Exceeds=15, Meets=10, Marginal=5
Financial Stability	10%	Strong=10, Adequate=5, Questionable=0

Supplier Category Requirements

Category	Qualification	Monitoring	Agreement
A - Critical	On-site audit	Annual review	Quality agreement
B - Major	Questionnaire	Semi-annual review	Quality requirements
C - Minor	Assessment	Issue-based	Standard terms

Supplier Performance Metrics

Metric	Target	Calculation
Accept Rate	>98%	(Accepted lots / Total lots) × 100
On-Time Delivery	>95%	(On-time / Total orders) × 100
Response Time	<5 days	Average days to resolve issues
Documentation	100%	(Complete CoCs / Required CoCs) × 100

QMS Process Reference

ISO 13485 Clause Structure

Clause	Title	Key Requirements
4.1	General Requirements	Process identification, interaction, outsourcing
4.2	Documentation	Quality Manual, procedures, records
5.1-5.5	Management Responsibility	Commitment, policy, objectives, organization
5.6	Management Review	Inputs, outputs, records
6.1-6.4	Resource Management	Personnel, infrastructure, environment
7.1	Product Realization Planning	Quality plan, risk management
7.2	Customer Requirements	Determination, review, communication
7.3	Design and Development	Planning, inputs, outputs, review, V&V, transfer, changes
7.4	Purchasing	Supplier control, purchasing info, verification
7.5	Production	Control, cleanliness, validation, identification, traceability
7.6	Monitoring Equipment	Calibration, control
8.1	Measurement Planning	Monitoring and analysis planning
8.2	Monitoring	Feedback, complaints, reporting, audits, process, product
8.3	Nonconforming Product	Control, disposition
8.4	Data Analysis	Trend analysis
8.5	Improvement	CAPA

Management Review Required Inputs (Clause 5.6.2)

Input	Source	Prepared By
Audit results	Internal and external audits	QA Manager
Customer feedback	Complaints, surveys	Customer Quality
Process performance	Process metrics	Process Owners
Product conformity	Inspection data, NCs	QC Manager
CAPA status	CAPA system	CAPA Officer
Previous actions	Prior review records	QMR
Changes affecting QMS	Regulatory, organizational	RA Manager
Recommendations	All sources	All Managers

Record Retention Requirements

Record Type	Minimum Retention	Regulatory Basis
Device Master Record	Life of device + 2 years	21 CFR 820.181
Device History Record	Life of device + 2 years	21 CFR 820.184
Design History File	Life of device + 2 years	21 CFR 820.30
Complaint Records	Life of device + 2 years	21 CFR 820.198
Training Records	Employment + 3 years	Best practice
Audit Records	7 years	Best practice
CAPA Records	7 years	Best practice
Calibration Records	Equipment life + 2 years	Best practice

Decision Frameworks

Exclusion Justification (Clause 4.2.2)

Clause	Permissible Exclusion	Justification Required
6.4.2	Contamination control	Product not affected by contamination
7.3	Design and development	Organization does not design products
7.5.2	Product cleanliness	No cleanliness requirements
7.5.3	Installation	No installation activities
7.5.4	Servicing	No servicing activities
7.5.5	Sterile products	No sterile products

Nonconformity Disposition Decision Tree

Nonconforming Product Identified
            │
            ▼
    Can it be reworked?
            │
       Yes──┴──No
        │       │
        ▼       ▼
    Is rework     Can it be used
    procedure     as is?
    available?        │
        │        Yes──┴──No
    Yes─┴─No     │       │
     │    │     ▼       ▼
     ▼    ▼  Concession  Scrap or
  Rework  Create    approval    return to
  per SOP  rework    needed?    supplier
          procedure     │
                    Yes─┴─No
                     │    │
                     ▼    ▼
                 Customer  Use as is
                 approval  with MRB
                          approval

CAPA Initiation Criteria

Source	Automatic CAPA	Evaluate for CAPA
Customer complaint	Safety-related	All others
External audit	Major NC	Minor NC
Internal audit	Major NC	Repeat minor NC
Product NC	Field failure	Trend exceeds threshold
Process deviation	Safety impact	Repeated deviations

Tools and References

Scripts

Tool	Purpose	Usage
qms_audit_checklist.py	Generate audit checklists by clause or process	`python qms_audit_checklist.py --help`

Audit Checklist Generator Features:

Generate clause-specific checklists (e.g.,
```
--clause 7.3
```
)
Generate process-based checklists (e.g.,
```
--process design-control
```
)
Full system audit checklist (
```
--audit-type system
```
)
Text or JSON output formats
Interactive mode for guided selection

References

Document	Content
iso13485-clause-requirements.md	Detailed requirements for each ISO 13485:2016 clause with audit questions
qms-process-templates.md	Ready-to-use templates for document control, audit, CAPA, supplier, training

Quick Reference: Mandatory Documented Procedures

Procedure	Clause	Key Elements
Document Control	4.2.3	Approval, distribution, obsolete control
Record Control	4.2.4	Identification, retention, disposal
Internal Audit	8.2.4	Program, auditor qualification, reporting
NC Product Control	8.3	Identification, segregation, disposition
Corrective Action	8.5.2	Root cause, implementation, verification
Preventive Action	8.5.3	Risk identification, implementation

Related Skills

Skill	Integration Point
quality-manager-qmr	Management review, quality policy
capa-officer	CAPA system management
qms-audit-expert	Advanced audit techniques
quality-documentation-manager	DHF, DMR, DHR management
risk-management-specialist	ISO 14971 integration

ISO 13485:2016 Alignment with FDA QMSR

QMSR Transition Impact on ISO 13485 QMS

With the FDA's QMSR (effective February 2, 2026) incorporating ISO 13485:2016 by reference, organizations already ISO 13485 certified gain significant advantages:

Area	Pre-QMSR (Dual System)	Post-QMSR (Unified)
Quality Manual	Separate FDA QSR and ISO 13485 references	Single Quality Manual referencing ISO 13485
Design controls	820.30 + ISO 13485 Clause 7.3 (mapped)	ISO 13485 Clause 7.3 (primary)
CAPA	820.100 + ISO 13485 Clause 8.5	ISO 13485 Clause 8.5 (primary)
Document control	820.40 + ISO 13485 Clause 4.2	ISO 13485 Clause 4.2 (primary)
Purchasing	820.50 + ISO 13485 Clause 7.4	ISO 13485 Clause 7.4 (primary)
Audits	Separate FDA and ISO audit tracks	Single audit satisfying both

FDA-Retained Requirements Beyond ISO 13485

Even under QMSR, certain FDA-specific requirements remain. The QMS must address:

FDA Requirement	CFR Reference	ISO 13485 Gap	Action
Complaint handling (medical device reports)	21 CFR 820.198	Clause 8.2.2 covers complaints but not FDA MDR reporting specifics	Add FDA MDR reporting procedure to complaint handling SOP
Corrections and removals	21 CFR 806	No direct equivalent	Maintain separate procedure for FDA reporting of corrections/removals
Unique Device Identification	21 CFR 830	No UDI clause in ISO 13485	Add UDI procedures to labeling/identification processes
Electronic records and signatures	21 CFR Part 11	No electronic signature requirements	Implement Part 11 compliance for electronic QMS

QMSR Gap Analysis Checklist

Map all existing QSR SOPs to ISO 13485 clause numbers
Identify FDA-retained requirements not covered by ISO 13485
Update Quality Manual scope and references
Retrain staff on ISO 13485 terminology (e.g., "design output" terminology alignment)
Update supplier quality agreements to reference QMSR
Revise internal audit checklist to combined ISO 13485 + FDA requirements
Verify complaint handling addresses both ISO 13485 Clause 8.2.2 and 21 CFR 820.198
Conduct mock audit against QMSR requirements

Digital QMS Implementation

Electronic Document Management System (eDMS) Requirements

Requirement	Implementation	Regulatory Basis
Document version control	Automatic versioning with audit trail	ISO 13485 Clause 4.2.3
Electronic approval workflows	Role-based approval routing with e-signatures	21 CFR Part 11, Annex 11
Access controls	Role-based permissions, segregation of duties	ISO 13485 Clause 4.2.3(c)
Audit trail	Immutable record of all changes with timestamp, user, reason	21 CFR Part 11 §11.10(e)
Backup and recovery	Regular backups with tested restore procedures	ISO 13485 Clause 4.2.4
Training records integration	Link document access to training completion	ISO 13485 Clause 6.2
Obsolete document control	Automatic removal from use with archival	ISO 13485 Clause 4.2.3(e)

Electronic Signatures

Signature Type	Use Case	Technical Requirement
Electronic signature	Document approval, batch release, CAPA closure	Linked to individual, date/time stamped, meaning included
Digital signature	High-assurance: design reviews, regulatory submissions	PKI-based, certificate authority, tamper-evident
Biometric signature	Optional for high-security processes	Fingerprint or similar biometric linked to identity

Audit Trail Requirements

Element	Description	Example
Who	User identity (not shared accounts)	jane.smith@company.com
What	Action performed	"Approved SOP-02-001 Rev 3"
When	Date and time (UTC or with timezone)	2026-03-09T14:30:00Z
Why	Reason for change (required for modifications)	"Updated per CAPA-2026-003 findings"
Previous value	Old content (for modifications)	Automatic diff/version comparison

Cross-Reference: 21 CFR Part 11 / Annex 11

21 CFR Part 11 Requirements for Electronic Records

Requirement	Section	QMS Implementation
Validation	§11.10(a)	Validate eQMS software per GAMP 5 methodology
Audit trail	§11.10(e)	Computer-generated, timestamped, immutable audit trail
System access controls	§11.10(d)	Unique user IDs, passwords, role-based access
Authority checks	§11.10(g)	Only authorized individuals can use specific functions
Device checks	§11.10(h)	Verify source of data input
Personnel qualification	§11.10(i)	Training on system use and Part 11 requirements
Electronic signatures	§11.50, §11.100	Unique to individual, not reusable, linked to records
Open vs. closed systems	§11.30 vs. §11.10	Determine system type; open systems need encryption

Annex 11 (EU GMP) Requirements

Requirement	Section	QMS Implementation
Risk management	§1	Apply risk-based approach to computerized system validation
Personnel	§2	Designated system owner and trained users
Supplier assessment	§3	Assess eQMS vendor quality and compliance capability
Validation	§4-5	IQ/OQ/PQ for eQMS, validation plan and report
Data	§6-9	Data integrity, accuracy checks, data storage
Printouts	§8	Ability to generate clear, legible copies of electronic records
Audit trail	§9	Record of all GMP-relevant changes
Change and configuration management	§10-11	Controlled change process for system modifications
Security	§12	Physical and logical security controls
Incident management	§13	Procedure for reporting and managing system incidents
Electronic signatures	§14	Equivalent legal standing to handwritten signatures
Batch release	§15	Electronic batch release with appropriate controls
Business continuity	§16	Contingency procedures for system unavailability
Archiving	§17	Long-term accessibility and readability of archived data

Remote Audit Considerations (Post-COVID)

Remote Audit Methodology

Audit Element	On-Site Approach	Remote Equivalent
Document review	Physical review of controlled copies	Screen-sharing of eDMS, live navigation
Record sampling	Pull physical records from files	Live database queries via screen-share
Process observation	Walk the production floor	Live video tour, camera-equipped devices
Personnel interviews	Face-to-face	Video conference with individual sessions
Equipment verification	Physical inspection	Live video with zoom capability
Evidence collection	Photocopies, photographs	Screenshots, screen recordings, exported PDFs

Remote Audit Best Practices

Practice	Description
Pre-audit documentation	Share document packages 2 weeks before audit via secure portal
Technology testing	Test video conferencing, screen-sharing, and secure file transfer before audit
Audit plan adaptation	Allow 20-30% more time for remote activities vs. on-site
Secure communication	Use encrypted channels for all audit communications and evidence transfer
Real-time evidence	Prefer live demonstrations over pre-recorded material
Breakout rooms	Use separate video sessions for confidential interviews
Audit trail of the audit	Record audit sessions (with agreement) for reference

Hybrid Audit Model

Activity	Recommended Mode	Rationale
Opening/closing meetings	Remote	Efficient, schedule-friendly
Document and record review	Remote	Full eDMS access, efficient sampling
Process observation (manufacturing)	On-site	Cannot verify physical processes remotely
Cleanroom/controlled environment	On-site	Environmental conditions require physical presence
Software system review	Remote	Screen-sharing is equivalent or better
Management interview	Either	Remote is acceptable
Supplier audit (critical)	On-site	Physical verification essential

Cross-Reference: ISO 42001 for AI-Enabled Medical Devices

ISO 42001 (AI Management System) Integration with ISO 13485

For medical device organizations developing AI-enabled products, ISO 42001:2023 provides an AI management system framework:

ISO 42001 Clause	ISO 13485 Integration Point	Combined Requirement
4. Context of the organization	Clause 4.1 (General requirements)	Extend QMS scope to include AI-specific processes
5. Leadership	Clause 5 (Management responsibility)	AI governance within quality policy and objectives
6. Planning (AI risk assessment)	Clause 7.1 (Risk management planning)	Extend ISO 14971 risk management to AI-specific risks
7. Support (AI competence)	Clause 6.2 (Human resources)	Add AI/ML competency requirements to training matrix
8. Operation (AI lifecycle)	Clause 7.3 (Design and development)	Integrate AI development lifecycle into design controls
9. Performance evaluation	Clause 8 (Measurement, analysis)	Add AI performance metrics to quality monitoring
10. Improvement	Clause 8.5 (CAPA)	Include AI-related incidents in CAPA scope

AI Lifecycle Integration with Design Controls

ISO 13485 Design Control (Cl. 7.3)     ISO 42001 AI Lifecycle
─────────────────────────────────       ─────────────────────
Design Input (7.3.3)                    AI System Requirements
    ↓                                       ↓
Design Output (7.3.4)                   Data Collection & Preparation
    ↓                                   Model Architecture & Training
    ↓                                       ↓
Design Review (7.3.5)                   AI Model Validation Review
    ↓                                       ↓
Design Verification (7.3.6)            Model Verification (accuracy, bias)
    ↓                                       ↓
Design Validation (7.3.7)             Clinical Validation (real-world performance)
    ↓                                       ↓
Design Transfer (7.3.8)               Model Deployment & Monitoring
    ↓                                       ↓
Design Changes (7.3.9)                Model Retraining & Update Control

Supplier Qualification for Software/Cloud Providers

Cloud Service Provider Qualification

Qualification Criterion	Assessment Method	Minimum Requirement
Information security	ISO 27001 certificate or SOC 2 Type II report	Current certification for relevant scope
Data residency	Contractual agreement + architecture review	Data stored in jurisdictions compliant with regulations
Availability SLA	Service agreement review	99.9% uptime minimum for critical systems
Backup and recovery	Architecture review + test results	RPO < 4 hours, RTO < 8 hours for critical systems
Incident notification	Contract clause review	Notification within 24 hours of security incident
Audit rights	Contract clause	Right to audit or receive audit reports
Regulatory compliance	Vendor compliance documentation	GxP-qualified environments (if applicable)
Exit strategy	Data portability assessment	Documented data export capability in standard formats

Software Supplier Assessment

Assessment Area	Category A (Critical)	Category B (Major)	Category C (Minor)
Quality system	ISO 13485 or ISO 9001 required	ISO 9001 preferred	Documented processes
Development process	IEC 62304 compliance evidence	SDLC documentation	Basic version control
Cybersecurity	IEC 81001-5-1 compliance	Security testing evidence	Basic security practices
Change management	Formal change control with notification	Release notes and notification	Version tracking
Validation support	IQ/OQ/PQ documentation provided	Functional test documentation	User documentation
Incident handling	SLA-based response with root cause	Defined support process	Best-effort support

CAPA Integration with Cybersecurity Incidents

Cybersecurity Incident as CAPA Trigger

Incident Type	CAPA Required?	Response Actions
Patient data breach	Yes — automatic	Contain → investigate → notify (GDPR 72h, HIPAA 60 days) → CAPA
Device vulnerability (exploitable)	Yes — automatic	Patch → verify → communicate → CAPA for root cause
Device vulnerability (not exploitable)	Evaluate	Risk assessment → mitigate if feasible → track
Malware on manufacturing system	Yes — automatic	Isolate → clean → verify product integrity → CAPA
Unauthorized access to QMS	Yes — automatic	Revoke access → assess impact → verify record integrity → CAPA
Supplier security incident	Evaluate	Assess impact on device/data → CAPA if product affected

Cybersecurity CAPA Process

Step 1: Incident Detection and Containment
        → Activate incident response plan
        → Contain threat and preserve evidence
        → Assess impact on product safety and quality

Step 2: Investigation (Root Cause Analysis)
        → Technical forensic analysis
        → 5 Whys + attack chain reconstruction
        → Identify QMS process failures that enabled the incident
        → Assess whether product quality was affected

Step 3: Corrective Actions
        → Technical: patch vulnerability, update security controls
        → Process: update SOPs, access controls, monitoring
        → People: security awareness training
        → Product: assess need for field safety corrective action (FSCA)

Step 4: Preventive Actions
        → Threat modeling review for similar attack vectors
        → Security control gap analysis
        → Supply chain security review (if applicable)
        → Update cybersecurity risk assessment

Step 5: Effectiveness Verification
        → Penetration testing to verify fix
        → Monitoring for recurrence (90-day window)
        → Review of updated security metrics
        → Close CAPA with evidence of effectiveness

Step 6: Regulatory Reporting (if required)
        → MDR vigilance report (if patient safety affected)
        → FDA MedWatch report (if applicable)
        → GDPR breach notification (if personal data involved)
        → NIS2 incident report (if essential entity)

Cross-references: See
../information-security-manager-iso27001/SKILL.md
for ISO 27001 incident response procedures,
../fda-consultant-specialist/SKILL.md
for FDA QMSR alignment, and
../risk-management-specialist/SKILL.md
for cybersecurity risk integration with ISO 14971.

ISO 13485 Enhanced — QMSR, Digital QMS & Cross-Framework Integration

ISO 13485:2016 Alignment with FDA QMSR

With FDA's Quality Management System Regulation (QMSR) effective Feb 2026:

Direct Alignment: FDA now recognizes ISO 13485:2016 as the quality system standard
Single QMS: Organizations can maintain one QMS for both FDA and EU market access
Gap Analysis: Identify differences between current QSR procedures and ISO 13485 requirements
Transition Plan: Map QSR 21 CFR 820 sections to ISO 13485 clauses, update procedures
Cross-reference: See
```
fda-consultant-specialist
```
for detailed FDA requirements

Digital QMS Implementation

Electronic Document Control: Validated electronic document management system (eDMS)
Electronic Signatures: 21 CFR Part 11 / EU Annex 11 compliant e-signatures
Audit Trail: Automated, timestamped, immutable record of all document changes
Cloud QMS Platforms: Qualification requirements for SaaS QMS solutions (IQ/OQ/PQ)
Cross-reference: See
```
quality-documentation-manager
```
for Part 11 compliance

Remote Audit Considerations

Hybrid Audits: Combination of on-site and remote activities (ISO 19011 guidance)
Technology Requirements: Secure video conferencing, screen sharing, document access
Limitations: Physical process observations may require on-site verification
Notified Body Acceptance: Most NBs accept hybrid audits for surveillance and recertification

AI-Enabled Medical Device QMS

ISO 42001 Integration: For organizations developing AI-enabled medical devices
Data Governance: Training data quality per ISO 42001 Annex A.7 within QMS
Model Lifecycle: AI model versioning and change control within existing QMS processes
Cross-reference: See
```
iso42001-ai-management
```
for AI management system requirements

Supplier Qualification for Software/Cloud Providers

Cloud Service Providers: Qualification checklist (SOC 2, ISO 27001, data residency, SLAs)
Open Source Software: Risk assessment for OSS components (licensing, maintenance, vulnerabilities)
SaaS Tools: Validation requirements for SaaS platforms used in QMS processes
SBOM Management: Track software components across the supply chain

Troubleshooting

Problem	Likely Cause	Resolution
Audit checklist generator returns empty output	Clause number not recognized	Use exact clause numbers from ISO 13485:2016 (e.g., `7.3` , `4.2.3` , `8.5.2` ). Run with `--interactive` to see all available clauses.
System audit checklist is very large	`--audit-type system` includes all clauses	For targeted audits, use `--clause` or `--process` flags to generate focused checklists. System audits intentionally cover the full standard.
Gap analysis matrix shows all clauses as "Major" gaps	Assessment conducted against a greenfield organization	Prioritize gaps by regulatory criticality and product safety impact. Address Clauses 4.2, 7.3, 8.2.4, 8.3, and 8.5 first as these require mandatory documented procedures.
QMSR transition mapping unclear	QSR sections not aligned to ISO 13485 clauses	The QMSR (effective Feb 2, 2026) incorporates ISO 13485 by reference. Map QSR 21 CFR 820 sub-parts to ISO 13485 clauses using the QMSR Gap Analysis Checklist in this skill.
Supplier qualification score borderline (60-80)	Supplier meets some criteria but has gaps	Issue conditional approval with documented improvement requirements and a defined reassessment date. Increase monitoring frequency until the supplier exceeds the 80-point threshold.
Process validation protocol incomplete	IQ/OQ/PQ phases not clearly separated	Each qualification phase must have distinct objectives, acceptance criteria, and documented results. Use the Validation Documentation Requirements table as a template for protocol structure.
Design control audit questions not applicable	Organization does not perform design activities	ISO 13485 permits exclusion of Clause 7.3 if the organization does not design products. Document the exclusion justification in the Quality Manual per Clause 4.2.2.

Success Criteria

QMS gap analysis completed against all ISO 13485:2016 clauses with documented current state, gap severity, priority, and remediation actions
All 6 mandatory documented procedures established, trained, and effective (document control, record control, internal audit, NC product, corrective action, preventive action)
Quality Manual approved with justified clause exclusions, process interactions documented, and scope clearly defined
QMSR transition completed: all QSR SOPs mapped to ISO 13485 clauses, FDA-retained requirements addressed, internal audit checklist updated for combined ISO 13485 + FDA requirements
Supplier qualification program operational with category-based assessment (A/B/C), documented scoring, and approved supplier list maintained
Process validation completed for all special processes (IQ/OQ/PQ documented with approved protocols and reports)
Certification audit passed with zero Major nonconformities and a plan to address any Minor findings within 60 days

Scope & Limitations

In Scope:

ISO 13485:2016 QMS implementation from gap analysis through certification
Document control system design (numbering, approval, change control, review schedules)
Internal audit program planning and execution per Clause 8.2.4
Process validation methodology (IQ/OQ/PQ) per Clause 7.5.6
Supplier qualification and monitoring per Clause 7.4
FDA QMSR transition planning and gap analysis
Digital QMS implementation (eDMS, Part 11, Annex 11 requirements)
Remote and hybrid audit methodology
AI-enabled medical device QMS considerations (ISO 42001 integration)

Out of Scope:

Clinical evaluation or clinical investigation management (use regulatory-affairs-head for clinical evidence strategy)
Product-specific design control execution (the skill provides the design control framework, not product-specific design inputs/outputs)
Sterilization validation protocol development (requires product-specific expertise per ISO 11135/11137/17665)
Regulatory submission preparation (use fda-consultant-specialist or mdr-745-specialist)
Post-market surveillance program execution (use risk-management-specialist for post-production risk monitoring)
IT infrastructure or cybersecurity implementation (use infrastructure-compliance-auditor for technical security)

Integration Points

Skill	Integration
quality-manager-qmr	QMR oversees QMS effectiveness; management review inputs include QMS process performance metrics
capa-officer	CAPA system (Clause 8.5) is a core QMS process; CAPA effectiveness feeds into management review
qms-audit-expert	Internal audit program (Clause 8.2.4) evaluates QMS processes; audit findings drive CAPA and improvement
quality-documentation-manager	Document and record control (Clause 4.2) provides the documentation foundation for the entire QMS
risk-management-specialist	ISO 14971 risk management integrates with design control (Clause 7.3) and product realization planning (Clause 7.1)
fda-consultant-specialist	QMSR alignment requires mapping FDA-specific requirements (MDR reporting, UDI, Part 11) beyond ISO 13485
regulatory-affairs-head	Regulatory strategy informs QMS scope, market-specific requirements, and certification timelines

Tool Reference

qms_audit_checklist.py

Generates ISO 13485:2016 audit checklists by clause, process, or full system audit.

Flag	Required	Description
`--clause`	No	ISO 13485 clause number to generate a clause-specific checklist (e.g., `7.3` , `4.2.3` , `8.5.2` )
`--process`	No	Process name for a process-based checklist (e.g., `design-control` , `purchasing` , `capa` )
`--audit-type`	No	Audit type: `system` for a full-system checklist covering all clauses
`--output`	No	Output format: `json` for structured output, omit for human-readable text
`--interactive`	No	Launch interactive mode for guided clause/process selection

Claude-Skills quality-manager-qms-iso13485

Quality Manager - QMS ISO 13485 Specialist

Table of Contents

QMS Implementation Workflow

Workflow: Initial QMS Implementation

Gap Analysis Matrix

QMS Structure

Required Procedure List

Document Control Workflow

Workflow: Document Creation and Approval

Document Numbering Convention

Area Codes

Document Change Control

Document Review Schedule

Internal Audit Workflow

Workflow: Annual Audit Program

Workflow: Individual Audit Execution

Audit Program Template

Auditor Qualification Requirements

Finding Classification Guide

Process Validation Workflow

Workflow: Process Validation Protocol

Validation Documentation Requirements

Revalidation Triggers

Special Process Examples

Supplier Qualification Workflow

Workflow: New Supplier Qualification

Supplier Evaluation Criteria

Supplier Category Requirements

Supplier Performance Metrics

QMS Process Reference

ISO 13485 Clause Structure

Management Review Required Inputs (Clause 5.6.2)

Record Retention Requirements

Decision Frameworks

Exclusion Justification (Clause 4.2.2)

Nonconformity Disposition Decision Tree

CAPA Initiation Criteria

Tools and References

Scripts

References

Quick Reference: Mandatory Documented Procedures

Related Skills

ISO 13485:2016 Alignment with FDA QMSR

QMSR Transition Impact on ISO 13485 QMS

FDA-Retained Requirements Beyond ISO 13485

QMSR Gap Analysis Checklist

Digital QMS Implementation

Electronic Document Management System (eDMS) Requirements

Electronic Signatures

Audit Trail Requirements

Cross-Reference: 21 CFR Part 11 / Annex 11

21 CFR Part 11 Requirements for Electronic Records

Annex 11 (EU GMP) Requirements

Remote Audit Considerations (Post-COVID)

Remote Audit Methodology

Remote Audit Best Practices

Hybrid Audit Model

Cross-Reference: ISO 42001 for AI-Enabled Medical Devices

ISO 42001 (AI Management System) Integration with ISO 13485

AI Lifecycle Integration with Design Controls

Supplier Qualification for Software/Cloud Providers

Cloud Service Provider Qualification

Software Supplier Assessment

CAPA Integration with Cybersecurity Incidents

Cybersecurity Incident as CAPA Trigger

Cybersecurity CAPA Process

ISO 13485 Enhanced — QMSR, Digital QMS & Cross-Framework Integration

ISO 13485:2016 Alignment with FDA QMSR

Digital QMS Implementation

Remote Audit Considerations

AI-Enabled Medical Device QMS

Supplier Qualification for Software/Cloud Providers

Troubleshooting

Success Criteria

Scope & Limitations

Integration Points

Tool Reference

qms_audit_checklist.py