Corpus browser · read-only
Every regulatory requirement Preclari currently stores, by source — the clause we cite and the text we claim — each with a link to the official primary source.
corpus/requirements/ + corpus/sources.yaml). Use it with the validation guide: read what we store here, open the primary source to check it, and record findings in the tracker Sheet. Nothing here is editable; fixes go to the corpus team.| Clause we cite | Requirement text we store |
|---|---|
| Annex 11 §1 | Risk management should be applied throughout the lifecycle of the computerised system taking into account patient safety, data integrity and product quality. Decisions on the extent of validation and data integrity controls should be based on a justified and documented risk assessment of the computerised system. |
| Annex 11 §3.1 and §3.4 | Where third parties (suppliers, service providers, integrators, maintainers, data processors) are used, formal agreements must exist between the manufacturer and any third parties, with clear statements of the third party's responsibilities. IT departments are considered analogous. Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request. |
| Annex 11 §4.3 and §4.4 | An up to date listing of all relevant systems and their GMP functionality should be available. For critical systems an up to date system description detailing physical and logical arrangements, data flows, and interfaces with other systems or processes, hardware and software pre-requisites, and security measures should be available. User Requirements Specifications should describe the required functions of the computerised system, be based on documented risk assessment and GMP impact, and be traceable throughout the life cycle. |
| Annex 11 §9 | Consideration should be given, based on a risk assessment, to building into the system the creation of a record of all GMP-relevant changes and deletions (a system generated audit trail). For change or deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and convertible to a generally intelligible form and regularly reviewed. |
| Annex 11 §10 and §11 | Any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure. Computerised systems should be periodically evaluated to confirm that they remain in a valid state and are compliant with GMP. Such evaluations should include the current range of functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security and validation status reports. |
| Clause we cite | Requirement text we store |
|---|---|
| Annex 15 §1.1 | All qualification and validation activities should be planned and take the life cycle of facilities, equipment, utilities, process and product into consideration. |
| Annex 15 §1.4 and §1.5 | The key elements of the site qualification and validation programme should be clearly defined and documented in a validation master plan (VMP) or equivalent document. The VMP should define the qualification and validation system and include or reference the policy, the organisational structure including roles and responsibilities, a summary of the facilities, equipment, systems and processes on site with their qualification and validation status, change control and deviation management for qualification and validation, guidance on developing acceptance criteria, references to existing documents, and the qualification and validation strategy including requalification. |
| Annex 15 §1.7 | A quality risk management approach should be used for qualification and validation activities. In light of increased knowledge and understanding from any changes during the project phase or during commercial production, the risk assessments should be repeated, as required. The way in which risk assessments are used to support qualification and validation activities should be clearly documented. |
| Annex 15 §3.1 and §3.2 | Qualification activities should consider all stages from initial development of the user requirements specification through to the end of use of the equipment, facility, utility or system. [...] The specification for equipment, facilities, utilities or systems should be defined in a URS and/or a functional specification. The essential elements of quality need to be built in at this stage and any GMP risks mitigated to an acceptable level. The URS should be a point of reference throughout the validation life cycle. |
| Annex 15 §4.1 and §4.2 | Equipment, facilities, utilities and systems should be evaluated at an appropriate frequency to confirm that they remain in a state of control. Where re-qualification is necessary and performed at a specific time period, the period should be justified and the criteria for evaluation defined. The possibility of small changes over time should be assessed. |
| Clause we cite | Requirement text we store |
|---|---|
| Chapter 1 §1.4(viii) and §1.4(ix) | A Pharmaceutical Quality System should ensure that a state of control is established and maintained by developing and using effective monitoring and control systems for process performance and product quality, and that the results of product and process monitoring are taken into account in batch release, in the investigation of deviations, and with a view to taking preventive action to avoid potential deviations occurring in the future. |
| Chapter 1 §1.4(xiv) | An appropriate level of root cause analysis should be applied during the investigation of deviations, suspected product defects and other problems, determined using Quality Risk Management principles. Where the true root cause cannot be determined, the most likely root causes should be identified and addressed. Where human error is suspected or identified as the cause, this should be justified having taken care to ensure that process, procedural or system-based errors or problems have not been overlooked. Appropriate corrective and preventive actions should be identified and taken, and their effectiveness monitored. |
| Chapter 1 §1.4(xv) | Medicinal products are not sold or supplied before a Qualified Person has certified that each production batch has been produced and controlled in accordance with the requirements of the Marketing Authorisation and any other regulations relevant to the production, control and release of medicinal products. |
| Chapter 1 §1.4(xii) and §1.4(xiii) | Arrangements are in place for the prospective evaluation of planned changes and their approval prior to implementation, taking into account regulatory notification and approval where required. After implementation of any change, an evaluation is undertaken to confirm the quality objectives were achieved and that there was no unintended deleterious impact on product quality. |
| Chapter 1 §1.10 | Regular periodic or rolling quality reviews of all authorised medicinal products should be conducted with the objective of verifying the consistency of the existing process, the appropriateness of current specifications, and to highlight trends and improvements. Such reviews should normally be conducted and documented annually, and should include at minimum a review of starting materials, critical in-process controls and finished product results, batches that failed to meet specification, significant deviations and their CAPA effectiveness, all changes to processes or analytical methods, Marketing Authorisation variations, stability monitoring results, returns/complaints/recalls, and contractual arrangements defined in Chapter 7. |
| Clause we cite | Requirement text we store |
|---|---|
| Principle and §7.1 | Any activity covered by the GMP Guide that is outsourced should be appropriately defined, agreed and controlled in order to avoid misunderstandings which could result in a product or operation of unsatisfactory quality. There must be a written Contract between the Contract Giver and the Contract Acceptor which clearly establishes the duties of each party, covering the outsourced activities, the products or operations to which they are related, and any technical arrangements made in connection with it. |
| §7.4 and §7.5 | The pharmaceutical quality system of the Contract Giver should include the control and review of any outsourced activities. The Contract Giver is ultimately responsible to ensure processes are in place to assure the control of outsourced activities, incorporating quality risk management principles. Prior to outsourcing activities, the Contract Giver is responsible for assessing the legality, suitability and competence of the Contract Acceptor to carry out the outsourced activities successfully, and for ensuring by means of the Contract that the principles and guidelines of GMP are followed. |
| §7.11 | The Contract Acceptor should not subcontract to a third party any of the work entrusted to him under the Contract without the Contract Giver's prior evaluation and approval of the arrangements. Arrangements made between the Contract Acceptor and any third party should ensure that information and knowledge, including those from assessments of the suitability of the third party, are made available in the same way as between the original Contract Giver and Contract Acceptor. |
| §7.15 | The Contract should describe clearly who undertakes each step of the outsourced activity, including knowledge management, technology transfer, supply chain, subcontracting, quality and purchasing of materials, testing and releasing materials, and undertaking production and quality controls including in-process controls, sampling, and analysis. |
| §7.16 and §7.17 | All records related to the outsourced activities, e.g. manufacturing, analytical and distribution records, and reference samples, should be kept by, or be available to, the Contract Giver. Any records relevant to assessing the quality of a product in the event of complaints or a suspected defect or to investigating a suspected falsified product must be accessible and specified in the relevant procedures of the Contract Giver. The Contract should permit the Contract Giver to audit outsourced activities performed by the Contract Acceptor or his mutually agreed subcontractors. |
| Clause we cite | Requirement text we store |
|---|---|
| Section III.1.a | Data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA). System design and controls should enable easy detection of errors, omissions, and aberrant results throughout the data's life cycle. |
| Section III.1.b and III.1.c | Metadata is contextual information required to understand data, including date/time stamps, user ID, instrument ID, material status data, and audit trails. An audit trail is a secure, computer-generated, time-stamped electronic record that allows reconstruction of the creation, modification, or deletion of an electronic record. The relationships between data and metadata should be preserved in a secure and traceable manner. |
| Section III.2 | Invalidating test results to exclude them from quality unit decisions about conformance to a specification requires a valid, documented, scientifically sound justification. Even if test results are legitimately invalidated, the full CGMP batch record provided to the quality unit must include the original (invalidated) data along with the investigation report that justifies invalidating the result. |
| Section III.3 | A CGMP workflow on a computer system, such as creation of an electronic master production and control record, is an intended use of a computer system that must be checked through validation. The extent of validation should be commensurate with the risk posed by the automated system. Qualifying a platform is not sufficient to demonstrate that a workflow run on it produces correct outputs. |
| Section III.4 and III.5 | Changes to computerized records must be made only by authorized personnel, and actions must be attributable to a specific individual. Shared login credentials cannot satisfy the attributability requirement of parts 211 and 212. Shared read-only user accounts are acceptable for viewing data but cannot be used for actions such as second-person review. The system administrator role should be independent of personnel responsible for record content. |
| Clause we cite | Requirement text we store |
|---|---|
| Section I and Section III.A | Even where FDA exercises enforcement discretion on Part 11 requirements, persons must comply with all applicable predicate rule requirements for records and signatures. Records that are required to be maintained or submitted must remain secure and reliable in accordance with the predicate rules, and FDA can take regulatory action for noncompliance with predicate rules regardless of Part 11 interpretation. |
| Section III.A | FDA continues to enforce, without enforcement discretion, controls including limiting system access to authorized individuals, operational system checks, authority checks, device checks, training and experience requirements for personnel who develop, maintain, or use electronic systems, written policies that hold individuals accountable for actions initiated under their electronic signatures, controls over systems documentation, controls for open systems, and electronic-signature requirements at sections 11.50, 11.70, 11.100, 11.200, and 11.300. |
| Section III.B.2 | Part 11 applies to records required under predicate rules that are maintained in electronic format in place of paper, records maintained in electronic format in addition to paper and relied on to perform regulated activities, electronic records submitted to FDA under predicate rules, and electronic signatures intended to be the equivalent of handwritten signatures. Firms should determine in advance whether they plan to rely on the electronic record or paper record to perform regulated activities and document that decision. |
| Section III.C.1 | The decision to validate computerized systems, and the extent of validation, should take into account the impact the systems have on the firm's ability to meet predicate rule requirements, and the impact those systems might have on the accuracy, reliability, integrity, availability, and authenticity of required records and signatures. The approach should be based on a justified and documented risk assessment. |
| Section III.C.2 | Predicate rules require documentation of date, time, and sequencing of events, as well as any requirements for ensuring that changes to records do not obscure previous entries. Even where Part 11 audit-trail requirements are under enforcement discretion, audit trails or other physical, logical, or procedural security measures are particularly appropriate when users create, modify, or delete regulated records during normal operation. |
| Clause we cite | Requirement text we store |
|---|---|
| Section 1.5 | Implementation of the Q10 model should result in achievement of three main objectives that complement or enhance regional GMP requirements: achieve product realisation through a system that allows the delivery of products with the quality attributes appropriate to meet the needs of patients, healthcare professionals, regulatory authorities and other stakeholders; establish and maintain a state of control through effective monitoring and control systems; and facilitate continual improvement through identification and implementation of appropriate product quality improvements, process improvements, variability reduction, innovations, and pharmaceutical quality system enhancements. |
| Section 1.6 | Use of knowledge management and quality risk management will enable a company to implement ICH Q10 effectively and successfully. Knowledge management is a systematic approach to acquiring, analysing, storing and disseminating information related to products, manufacturing processes and components. Quality risk management as described in ICH Q9 provides the means for science and risk based decisions related to product quality. |
| Section 2.7 | The pharmaceutical quality system extends to the control and review of any outsourced activities and quality of purchased materials. The pharmaceutical company is ultimately responsible to ensure processes are in place to assure the control of outsourced activities and quality of purchased materials. Required processes include assessing the suitability and competence of the other party prior to outsourcing; defining responsibilities and communication processes in a written agreement between contract giver and contract acceptor; monitoring and reviewing the performance of the contract acceptor; and monitoring incoming ingredients and materials to ensure they are from approved sources using the agreed supply chain. |
| Section 3.2.2 | The pharmaceutical company should have a system for implementing corrective actions and preventive actions resulting from the investigation of complaints, product rejections, non-conformances, recalls, deviations, audits, regulatory inspections and findings, and trends from process performance and product quality monitoring. A structured approach to the investigation process should be used with the objective of determining the root cause. The level of effort, formality, and documentation of the investigation should be commensurate with the level of risk, in line with ICH Q9. |
| Section 3.2.3 | The change management system should include quality risk management to evaluate proposed changes, with the level of effort and formality of the evaluation commensurate with the level of risk. Proposed changes should be evaluated relative to the marketing authorisation and current product and process understanding, by expert teams contributing appropriate expertise from relevant areas. After implementation, an evaluation of the change should be undertaken to confirm the change objectives were achieved and that there was no deleterious impact on product quality. |
| Clause we cite | Requirement text we store |
|---|---|
| Section 3 | Two primary principles of quality risk management are that the evaluation of the risk to quality should be based on scientific knowledge and ultimately link to the protection of the patient (risk to quality includes situations where product availability may be impacted, leading to potential patient harm), and that the level of effort, formality, and documentation of the quality risk management process should be commensurate with the level of risk. |
| Section 4.3 | Risk assessment consists of the identification of hazards and the analysis and evaluation of risks associated with exposure to those hazards. Three fundamental questions are helpful: What might go wrong? What is the likelihood it will go wrong? What are the consequences? The output of a risk assessment is either a quantitative estimate of risk or a qualitative description of a range of risk, with descriptors defined in as much detail as possible. |
| Section 5.1 | Formality in quality risk management is not a binary concept; varying degrees of formality may be applied. Factors driving higher formality include uncertainty (lack of knowledge about hazards, harms, and risks), importance (the more important a risk-based decision is in relation to product quality, the higher the level of formality), and complexity. Resource constraints should not be used to justify the use of lower levels of formality. Risk scores, ratings, and assessments should be based on an appropriate use of evidence, science, and knowledge. |
| Section 5.2 | Risk-based decision-making is inherent in all quality risk management activities. As all decision-making relies on the use of knowledge, ICH Q10 applies for guidance on knowledge management. It is important to ensure the integrity of the data that are used for risk-based decision-making. |
| Section 5.3 | Subjectivity can directly impact the effectiveness of risk management activities and the decisions made. Subjectivity should be managed and minimized through approaches including effective knowledge management, structured risk-management methods, cross-functional teams, training in risk-based decision-making, and the use of tools and techniques that promote consistent and objective evaluation of risks. |
| Clause we cite | Requirement text we store |
|---|---|
| Section 3.1 and 3.3 | The organisation needs to take responsibility for the systems used and the data they generate. The organisational culture should ensure data is complete, consistent, and accurate in all its forms, i.e. paper and electronic. The impact of organisational culture, the behaviour driven by performance indicators, objectives, and senior management behaviour on the success of data governance measures should not be underestimated. The data governance policy should be endorsed at the highest levels of the organisation. |
| Section 3.4 | Organisations are expected to implement, design and operate a documented system that provides an acceptable state of control based on the data integrity risk with supporting rationale. An example of a suitable approach is to perform a data integrity risk assessment (DIRA) where the processes that produce data or where data is obtained are mapped out and each of the formats and their controls are identified and the data criticality and inherent risks documented. |
| Section 6.2 | Raw data is defined as the original record (data) which can be described as the first-capture of information, whether recorded on paper or electronically. Information that is originally captured in a dynamic state should remain available in that state. Raw data must permit full reconstruction of the activities. Where this has been captured in a dynamic state and generated electronically, paper copies cannot be considered as 'raw data'. |
| Section 6.5 | Contract Givers should ensure that data ownership, governance, and accessibility are included in any contract or technical agreement with a third party. The Contract Giver should also perform a data governance review as part of their vendor assurance programme. Data governance systems should also ensure that data are readily available and directly accessible on request from national competent authorities. Electronic data should be available in human-readable form. |
| Section 6.10 | Data may only be excluded where it can be demonstrated through valid scientific justification that the data are not representative of the quantity measured, sampled, or acquired. In all cases, this justification should be documented and considered during data review and reporting. All data, even if excluded, should be retained with the original data set and be available for review in a format that allows the validity of the decision to exclude the data to be confirmed. |
| Clause we cite | Requirement text we store |
|---|---|
| Chapter 1 §1.4(viii) and §1.4(ix) | A Pharmaceutical Quality System should ensure that a state of control is established and maintained by developing and using effective monitoring and control systems for process performance and product quality, and that the results of product and process monitoring are taken into account in batch release, in the investigation of deviations, and with a view to taking preventive action to avoid potential deviations occurring in the future. |
| Chapter 1 §1.4(xiv) | An appropriate level of root cause analysis should be applied during the investigation of deviations, suspected product defects, and other problems. This can be determined using Quality Risk Management principles. Where the true root cause cannot be determined, consideration should be given to identifying the most likely root cause and addressing it. Where human error is suspected or identified as the cause, this should be justified having taken care to ensure that process, procedural, or system-based errors or problems have not been overlooked. Appropriate CAPAs should be identified and taken, and their effectiveness monitored in line with Quality Risk Management principles. |
| Chapter 1 §1.4(xv) | Medicinal products are not sold or supplied before an Authorised Person has certified that each production batch has been produced and controlled in accordance with the requirements of the Marketing Authorisation and any other regulations relevant to the production, control, and release of medicinal products. |
| Chapter 1 §1.4(xii) and §1.4(xiii) | Arrangements are in place for the prospective evaluation of planned changes and their approval prior to implementation, taking into account regulatory notification and approval where required. After implementation of any change, an evaluation is undertaken to confirm the quality objectives were achieved and that there was no unintended deleterious impact on product quality. |
| Chapter 1 §1.10 and §1.11 | Regular periodic or rolling quality reviews of all authorised medicinal products should be conducted with the objective of verifying the consistency of the existing process, the appropriateness of current specifications, and to highlight trends and product/process improvements. Reviews should normally be conducted and documented annually, and include review of starting materials, critical in-process controls and finished product results, batches that failed specification and their investigations, significant deviations and CAPA effectiveness, process and analytical method changes, Marketing Authorisation variations, stability results, complaints and recalls, and contractual arrangements defined in Chapter 7. The Authorised Person together with the Marketing Authorisation holder should ensure the quality review is performed in a timely manner and is accurate. |
| Clause we cite | Requirement text we store |
|---|---|
| Section 1.2 and 4.4 | Data governance and related measures should be part of a quality system and are important to ensure the reliability of data and records in good practice activities and regulatory submissions. Data and records should be attributable, legible, contemporaneous, original and accurate, complete, consistent, enduring, and available: commonly referred to as ALCOA+. Data governance should ensure the application of ALCOA+ principles throughout the data life cycle. |
| Section 5.1-5.3 | A Data Integrity Risk Assessment (DIRA) should be carried out to identify and assess areas of risk. This should cover systems and processes that produce data or where data are obtained, and inherent risks. The DIRA should be risk-based, cover the life cycle of data, and consider data criticality. Data criticality may be determined by considering how the data is used to influence the decisions made. The DIRA should be documented and reviewed to ensure that it remains current. Where the risk assessment has highlighted areas for remedial action, prioritisation of actions including acceptance of residual risk should be documented and communicated. |
| Section 4.14 | Changing from paper-based systems to automated or computerised systems (or vice-versa) will not in itself remove the need for appropriate data integrity controls. The controls travel with the data and the underlying GxP activity, not with the format. |
| Section 7.1-7.5 | The selection of a contract acceptor should be done in accordance with an authorised procedure. Outsourcing of activities, ownership of data, and responsibilities of each party should be clearly described in written agreements, with specific attention to data integrity requirements. Compliance with these principles and responsibilities should be verified during periodic site audits, including the review of procedures and data. GxP activities, including outsourcing of data management, should not be sub-contracted to a third party without the prior approval of the contract giver. |
| Section 11.6-11.8 | There should be a documented system in place that defines the access and privileges of users of systems. Access and privileges should be in accordance with the role and responsibility of the individual with appropriate controls to ensure data integrity. A limited number of personnel, with no conflict of interest in data, should be appointed as system administrators. Certain privileges such as data deletion, database amendment, or system configuration changes should not be assigned to administrators without justification, and such activities should only be done with documented evidence of authorization. |
| Clause we cite | Requirement text we store |
|---|---|
| PI 011-3 §4.5 | When a GxP inspector has to assess an installed computerised system at a regulated user's site, the inspector will consider the potential risks, from the automated system to product or material quality or to data integrity, as identified and documented by the regulated user, in order to assess the fitness for purpose of the particular system. The company's risk assessment records may also be referred to as part of this process. |
| PI 011-3 §6.3 and §7.3 | Regulated users should have an inventory of all their computerised systems, ownership, supplier or developer, functionality, links and validation status. A policy and validation master plan for computerised systems should also be available for inspection. The Validation Master Plan should identify which computerised systems are subject to validation, describe validation strategies for different categories of computerised systems, outline protocols and test procedures, define reporting requirements, and identify key personnel and responsibilities. |
| PI 011-3 §9.3 | User Requirement Specifications should be reviewed, authorised and uniquely catalogued, with no conflict between requirements. Each requirement, particularly those to be met to satisfy GxP expectations, should be specified in a manner such that compliance with the requirements is capable of being verified objectively by an authorised method, such as inspection, analysis or test. The URS should be understood and agreed by both user and supplier, distinguish mandatory regulatory requirements from optional features, and contain functional and non-functional requirements that are objectively verifiable. |
| PI 011-3 §17.1 and §18.1 | A formal change control procedure should be established once specifications are under development, requiring clear, prescriptive and accurate documentation and records, with carefully defined responsibilities for participants. The procedure should record details of proposed changes with reasoning, system status and controls impact prior to implementing changes, review and authorisation methods, records of change reviews and sentencing (approval or rejection), the method of indicating change status of documentation, and the method of assessing the full impact of changes including regression analysis and regression testing as appropriate. |
| PI 011-3 §20.1 and §20.2 | The audit trail for data integrity may need to include functions such as authorised user, creations, links, embedded comments, deletions, modifications or corrections, authorities, privileges, time and date. All linked components are to be immutably linked in an IT system security controlled audit trail, and all original data records and any subsequent alterations, additions, deletions or modifications are to be retained accurately and comprehensively within the retrievable audit trail. Special procedures are required for critical data entry requiring a second check, performed either by a second authorised person with logged identification, time and date, or by validated system functionality. |
| Clause we cite | Requirement text we store |
|---|---|
| AMBV Art. 4 (SR 812.212.1); HMG Art. 7 (SR 812.21) | [SWISS FEDERAL LAW, GERMAN VERBATIM, public and freely reproducible] Art. 4 Verantwortlichkeit und Gute Herstellungspraxis 1 Die Person, die eine Bewilligung nach Artikel 3 innehat, trägt für die von ihr durchgeführten Verarbeitungsprozesse und Arbeitsgänge die Verantwortung. 2 Die Herstellung von Arzneimitteln hat nach den GMP-Regeln nach Anhang 1 oder 2 zu erfolgen. [UNOFFICIAL ENGLISH TRANSLATION: informational only. The German text (SR 812.212.1) is the sole legally binding version.] Art. 4 Responsibility and Good Manufacturing Practice 1 The holder of a licence under Article 3 is responsible for the processing operations and activities it carries out. 2 Medicinal products must be manufactured in accordance with the GMP rules set out in Annex 1 or 2. Legal basis in the act: Heilmittelgesetz (HMG, SR 812.21) Art. 7 requires that medicinal products be manufactured according to the recognised rules of Good Manufacturing Practice. A Swiss manufacturing context therefore places a computerised-systems workflow under binding GMP obligations, not outside scope. |
| AMBV Anhang 1 No. 1 (SR 812.212.1) | [SWISS FEDERAL LAW, GERMAN VERBATIM, public and freely reproducible] Anhang 1, Internationale Regeln der Guten Herstellungspraxis. No. 1: Als Regeln der Guten Herstellungspraxis (Good Manufacturing Practice; GMP) sind folgende Bestimmungen anwendbar: [...] c. Leitfaden für die gute Herstellungspraxis, Humanarzneimittel und Tierarzneimittel der Europäischen Kommission (EudraLex, Band 4); d. Grundsätze und Leitlinien der Guten Herstellungspraxis nach dem Übereinkommen vom 8. Oktober 1970 zur gegenseitigen Anerkennung von Inspektionen betreffend die Herstellung pharmazeutischer Produkte. [REFERENCE NOTE] Anhang 1 No. 1 letter c is the EU GMP Guide (EudraLex Volume 4) and letter d is the PIC/S GMP Guide (PE 009; footnote 22 of the AMBV points to www.picscheme.org). Computerised-systems expectations are Annex 11 within each of those guides. Swissmedic confirms this adoption on its public page "Links to the regulations cited in Annexes 1 to 3 of the AMBV", which names both guides. |
| Cross-reference to eu-gmp-annex-11 and pics-pi-011-3 | [REFERENCE-ONLY POINTER: no PIC/S or EU Guide text reproduced here.] For a Swiss-jurisdiction workflow, cite eu-gmp-annex-11 and pics-pi-011-3 for the operational requirement clauses, and state the AMBV Art. 4 and Anhang 1 adoption (with HMG Art. 7 as the legal basis) as the applicability basis rather than treating Switzerland as out of scope. |
| Clause we cite | Requirement text we store |
|---|---|
| EU MDR Art. 10(1) | When placing their devices on the market or putting them into service, manufacturers shall ensure that they have been designed and manufactured in accordance with the requirements of this Regulation. |
| EU MDR Art. 10(2) | Manufacturers shall establish, document, implement and maintain a system for risk management as described in Section 3 of Annex I. |
| EU MDR Art. 10(3) | Manufacturers shall conduct a clinical evaluation in accordance with the requirements set out in Article 61 and Annex XIV, including a PMCF. |
| EU MDR Art. 10(9) | Manufacturers of devices, other than investigational devices, shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device. The quality management system shall cover all parts and elements of a manufacturer's organisation dealing with the quality of processes, procedures and devices. It shall govern the structure, responsibilities, procedures, processes and management resources required to implement the principles and actions necessary to achieve compliance with the provisions of this Regulation. The quality management system shall address at least the following aspects: (a) a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for management of modifications to the devices covered by the system; (b) identification of applicable general safety and performance requirements and exploration of options to address those requirements; (c) management responsibility; (d) resource management, including selection and control of suppliers and subcontractors; (e) risk management as set out in Section 3 of Annex I; (f) clinical evaluation, including PMCF; (g) product realisation, including planning, design, development, production and service provision; (h) verification of the UDI assignments made in accordance with Article 27(3); (i) setting-up, implementation and maintenance of a post-market surveillance system, in accordance with Article 83; (j) handling communication with competent authorities, notified bodies, other economic operators, customers and/or other stakeholders; (k) processes for reporting of serious incidents and field safety corrective actions in the context of vigilance; (l) management of corrective and preventive actions and verification of their effectiveness; (m) processes for monitoring and measurement of output, data analysis and product improvement. |
| EU MDR Art. 10(10) | Manufacturers shall implement and keep up to date the post-market surveillance system in accordance with Article 83. |
| EU MDR Art. 15(1), Art. 15(2), Art. 15(3) | 1. Manufacturers shall have available within their organisation at least one person responsible for regulatory compliance who possesses the requisite expertise in the field of medical devices. The requisite expertise shall be demonstrated by either of the following: (a) a diploma, certificate or other evidence of formal qualification, awarded on completion of a university degree or of a course of study recognised as equivalent by the Member State concerned, in law, medicine, pharmacy, engineering or another relevant scientific discipline, and at least one year of professional experience in regulatory affairs or in quality management systems relating to medical devices; (b) four years of professional experience in regulatory affairs or in quality management systems relating to medical devices. Without prejudice to national provisions regarding professional qualifications, manufacturers of custom-made devices may demonstrate the requisite expertise referred to in the first subparagraph by having at least two years of professional experience within a relevant field of manufacturing. 2. Micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC shall not be required to have the person responsible for regulatory compliance within their organisation but shall have such person permanently and continuously at their disposal. 3. The person responsible for regulatory compliance shall be responsible for at least the following: (a) ensuring that the conformity of the devices is appropriately checked, in accordance with the quality management system under which the devices are manufactured, before a device is released; (b) ensuring that the technical documentation and the EU declaration of conformity are drawn up and kept up-to-date; (c) ensuring that the post-market surveillance obligations are complied with in accordance with Article 10(10); (d) ensuring that the reporting obligations referred to in Articles 87 to 91 are fulfilled; (e) in the case of investigational devices, ensuring that the statement referred to in Section 4.1 of Annex XV is issued. |
| EU MDR Annex I §1 | Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose. They shall be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons, provided that any risks which may be associated with their use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety, taking into account the generally acknowledged state of the art. |
| EU MDR Art. 83 | 1. For each device, manufacturers shall plan, establish, document, implement, maintain and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. That system shall be an integral part of the manufacturer's quality management system referred to in Article 10(9). 2. The post-market surveillance system shall be suited to actively and systematically gathering, recording and analysing relevant data on the quality, performance and safety of a device throughout its entire lifetime, and to drawing the necessary conclusions and to determining, implementing and monitoring any preventive and corrective actions. 3. Data gathered by the manufacturer's post-market surveillance system shall in particular be used: (a) to update the benefit-risk determination and to improve the risk management as referred to in Chapter I of Annex I; (b) to update the design and manufacturing information, the instructions for use and the labelling; (c) to update the clinical evaluation; (d) to update the summary of safety and clinical performance referred to in Article 32; (e) for the identification of needs for preventive, corrective or field safety corrective action; (f) for the identification of options to improve the usability, performance and safety of the device; (g) when relevant, to contribute to the post-market surveillance of other devices; and (h) to detect and report trends in accordance with Article 88. The technical documentation shall be updated accordingly. 4. If, in the course of the post-market surveillance, a need for preventive or corrective action or both is identified, the manufacturer shall implement the appropriate measures and inform the competent authorities concerned and, where applicable, the notified body. Where a serious incident is identified or a field safety corrective action is implemented, it shall be reported in accordance with Article 87. |
| EU MDR Art. 84 | The post-market surveillance system referred to in Article 83 shall be based on a post-market surveillance plan, the requirements for which are set out in Section 1.1 of Annex III. For devices other than custom-made devices, the post-market surveillance plan shall be part of the technical documentation specified in Annex II. |
| EU MDR Art. 85 | Manufacturers of class I devices shall prepare a post-market surveillance report summarising the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 84 together with a rationale and description of any preventive and corrective actions taken. The report shall be updated when necessary and made available to the competent authority upon request. |
| EU MDR Art. 86 | 1. Manufacturers of class IIa, class IIb and class III devices shall prepare a periodic safety update report ('PSUR') for each device and where relevant for each category or group of devices summarising the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 84 together with a rationale and description of any preventive and corrective actions taken. Throughout the lifetime of the device concerned, that PSUR shall set out: (a) the conclusions of the benefit-risk determination; (b) the main findings of the PMCF; and (c) the volume of sales of the device and an estimate evaluation of the size and other characteristics of the population using the device and, where practicable, the usage frequency of the device. Manufacturers of class IIb and class III devices shall update the PSUR at least annually. That PSUR shall, except in the case of custom-made devices, be part of the technical documentation as specified in Annexes II and III. Manufacturers of class IIa devices shall update the PSUR when necessary and at least every two years. That PSUR shall, except in the case of custom-made devices, be part of the technical documentation as specified in Annexes II and III. For custom-made devices, the PSUR shall be part of the documentation referred to in Section 2 of Annex XIII. 2. For class III devices or implantable devices, manufacturers shall submit PSURs by means of the electronic system referred to in Article 92 to the notified body involved in the conformity assessment in accordance with Article 52. The notified body shall review the report and add its evaluation to that electronic system with details of any action taken. Such PSURs and the evaluation by the notified body shall be made available to competent authorities through that electronic system. 3. For devices other than those referred to in paragraph 2, manufacturers shall make PSURs available to the notified body involved in the conformity assessment and, upon request, to competent authorities. |
| EU MDR Art. 87(1), Art. 87(2), Art. 87(3), Art. 87(4), Art. 87(5) | 1. Manufacturers of devices made available on the Union market, other than investigational devices, shall report, to the relevant competent authorities, in accordance with Articles 92(5) and (7), the following: (a) any serious incident involving devices made available on the Union market, except expected side-effects which are clearly documented in the product information and quantified in the technical documentation and are subject to trend reporting pursuant to Article 88; (b) any field safety corrective action in respect of devices made available on the Union market, including any field safety corrective action undertaken in a third country in relation to a device which is also legally made available on the Union market, if the reason for the field safety corrective action is not limited to the device made available in the third country. The reports referred to in the first subparagraph shall be submitted through the electronic system referred to in Article 92. 2. Except in cases of urgency in which the manufacturer needs to undertake field safety corrective action immediately, the manufacturer shall, without undue delay, report the field safety corrective action referred to in point (b) of paragraph 1 in advance of the field safety corrective action being undertaken. 3. Manufacturers shall report any serious incident as referred to in point (a) of paragraph 1 immediately after they have established the causal relationship between that incident and their device or that such causal relationship is reasonably possible and not later than 15 days after they become aware of the incident. 4. Notwithstanding paragraph 3, in the event of a serious public health threat as referred to in Article 83 of Decision No 1082/2013/EU, the report referred to in paragraph 1 shall be provided immediately, and not later than 2 days after the manufacturer becomes aware of that threat. 5. In the event of the death of a patient or user or of a serious deterioration in their state of health the report shall be provided immediately after the manufacturer has established or as soon as it suspects a causal relationship between the device and the serious incident but not later than 10 days after the date on which the manufacturer becomes aware of the serious incident. |
| EU MDR Annex III §1.1 | The post-market surveillance plan drawn up in accordance with Article 84. The manufacturer shall prove in a post-market surveillance plan that it complies with the obligation referred to in Article 83. The post-market surveillance plan shall address the collection and utilization of available information, in particular: information concerning serious incidents, including information from PSURs, and field safety corrective actions; records referring to non-serious incidents and data on any undesirable side-effects; information from trend reporting; relevant specialist or technical literature, databases and/or registers; information, including feedbacks and complaints, provided by users, distributors and importers; and publicly available information about similar medical devices. The post-market surveillance plan shall cover at least: a proactive and systematic process to collect any information referred to above; effective and appropriate methods and processes to assess the collected data; suitable indicators and threshold values to be used for the continuous reassessment of the benefit-risk determination and of the risk management as referred to in Section 3 of Annex I; effective and appropriate methods and processes to investigate complaints and analyse market-related experience collected in the field; methods and protocols to manage the events subject to the trend report as provided for in Article 88, including the methods and protocols to be used to establish any statistically significant increase in the frequency or severity of incidents as well as the observation period; effective and appropriate methods of communication with competent authorities, notified bodies, economic operators, customers and/or users; reference to procedures to fulfil the manufacturers' obligations laid down in Articles 83, 84 and 86; systematic procedures to identify and initiate appropriate measures including the corrective actions referred to in Article 89; effective tools to trace and identify devices for which corrective actions might be necessary; and a PMCF plan as referred to in Part B of Annex XIV, or a justification as to why a PMCF is not applicable. |
| Clause we cite | Requirement text we store |
|---|---|
| EU IVDR Art. 10(1) | When placing their devices on the market or putting them into service, manufacturers shall ensure that they have been designed and manufactured in accordance with the requirements of this Regulation. |
| EU IVDR Art. 10(2) | Manufacturers shall establish, document, implement and maintain a system for risk management as described in Section 3 of Annex I. |
| EU IVDR Art. 10(3) | Manufacturers shall conduct a performance evaluation in accordance with the requirements set out in Article 56 and Annex XIII, including a PMPF. |
| EU IVDR Art. 10(8) | Manufacturers of devices, other than devices for performance study, shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance with this Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device. The quality management system shall cover all parts and elements of a manufacturer's organisation dealing with the quality of processes, procedures and devices. It shall govern the structure, responsibilities, procedures, processes and management resources required to implement the principles and actions necessary to achieve compliance with the provisions of this Regulation. The quality management system shall address at least the following aspects: (a) a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for management of modifications to the devices covered by the system; (b) identification of applicable general safety and performance requirements and exploration of options to address those requirements; (c) responsibility of the management; (d) resource management, including selection and control of suppliers and sub-contractors; (e) risk management as set out in Section 3 of Annex I; (f) performance evaluation, in accordance with Article 56 and Annex XIII, including PMPF; (g) product realisation, including planning, design, development, production and service provision; (h) verification of the UDI assignments made in accordance with Article 24(3) to all relevant devices and ensuring consistency and validity of information provided in accordance with Article 26; (i) setting-up, implementation and maintenance of a post-market surveillance system, in accordance with Article 78; (j) handling communication with competent authorities, notified bodies, other economic operators, customers and/or other stakeholders; (k) processes for reporting of serious incidents and field safety corrective actions in the context of vigilance; (l) management of corrective and preventive actions and verification of their effectiveness; (m) processes for monitoring and measurement of output, data analysis and product improvement. |
| EU IVDR Art. 10(9) | Manufacturers shall implement and keep up to date the post-market surveillance system in accordance with Article 78. |
| EU IVDR Art. 15(1), Art. 15(2), Art. 15(3), Art. 15(4), Art. 15(5), Art. 15(6) | 1. Manufacturers shall have available within their organisation at least one person responsible for regulatory compliance who possesses the requisite expertise in the field of in vitro diagnostic medical devices. The requisite expertise shall be demonstrated by either of the following: (a) a diploma, certificate or other evidence of formal qualification, awarded on completion of a university degree or of a course of study recognised as equivalent by the Member State concerned, in law, medicine, pharmacy, engineering or another relevant scientific discipline, and at least one year of professional experience in regulatory affairs or in quality management systems relating to in vitro diagnostic medical devices; (b) four years of professional experience in regulatory affairs or in quality management systems relating to in vitro diagnostic medical devices. 2. Micro and small enterprises within the meaning of Commission Recommendation 2003/361/EC shall not be required to have the person responsible for regulatory compliance within their organisation but shall have such person permanently and continuously at their disposal. 3. The person responsible for regulatory compliance shall at least be responsible for ensuring that: (a) the conformity of the devices is appropriately checked, in accordance with the quality management system under which the devices are manufactured, before a device is released; (b) the technical documentation and the EU declaration of conformity are drawn up and kept up-to-date; (c) the post-market surveillance obligations are complied with in accordance with Article 10(9); (d) the reporting obligations referred to in Articles 82 to 86 are fulfilled; (e) in the case of devices for performance studies intended to be used in the context of interventional clinical performance studies or other performance studies involving risks for the subjects, the statement referred to in Section 4.1 of Annex XIV is issued. 4. Where several persons are jointly responsible for regulatory compliance in accordance with paragraphs 1 and 2, their respective areas of responsibility shall be stipulated in writing. 5. The person responsible for regulatory compliance shall suffer no disadvantage within the manufacturer's organisation in relation to the proper fulfilment of his or her duties. 6. Authorised representatives shall have permanently and continuously at their disposal at least one person responsible for regulatory compliance who possesses the requisite expertise regarding the regulatory requirements for in vitro diagnostic medical devices in the Union. |
| EU IVDR Annex I §1 | Devices shall achieve the performance intended by their manufacturer and shall be designed and manufactured in such a way that, during normal conditions of use, they are suitable for their intended purpose. They shall be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons, provided that any risks which may be associated with their use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety, taking into account the generally acknowledged state of the art. |
| EU IVDR Art. 78(1), Art. 78(2), Art. 78(3), Art. 78(4) | 1. For each device, manufacturers shall plan, establish, document, implement, maintain and update a post-market surveillance system in a manner that is proportionate to the risk class and appropriate for the type of device. That system shall be an integral part of the manufacturer's quality management system referred to in Article 10(8). 2. The post-market surveillance system shall be suited to actively and systematically gathering, recording and analysing relevant data on the quality, performance and safety of a device throughout its entire lifetime, and to drawing the necessary conclusions and to determining, implementing and monitoring any preventive and corrective actions. 3. Data gathered by the manufacturer's post-market surveillance system shall in particular be used: (a) to update the benefit-risk determination and to improve the risk management as referred to in Section 3 of Annex I; (b) to update the design and manufacturing information, the instructions for use and the labelling; (c) to update the performance evaluation; (d) to update the summary of safety and performance referred to in Article 29; (e) for the identification of needs for preventive, corrective or field safety corrective action; (f) for the identification of options to improve the usability, performance and safety of the device; (g) when relevant, to contribute to the post-market surveillance of other devices; and (h) to detect and report trends in accordance with Article 83. The technical documentation shall be updated accordingly. 4. If, in the course of the post-market surveillance, a need for preventive or corrective action or both is identified, the manufacturer shall implement the appropriate measures and inform the competent authorities concerned and, where applicable, the notified body. Where a serious incident is identified or a field safety corrective action is implemented, it shall be reported in accordance with Article 82. |
| EU IVDR Art. 79 | The post-market surveillance system referred to in Article 78 shall be based on a post-market surveillance plan, the requirements for which are set out in Section 1 of Annex III. The post-market surveillance plan shall be part of the technical documentation specified in Annex II. |
| EU IVDR Art. 80 | Manufacturers of class A and class B devices shall prepare a post-market surveillance report summarising the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 79 together with a rationale and description of any preventive and corrective actions taken. The report shall be updated when necessary and made available to the notified body and the competent authority upon request. |
| EU IVDR Art. 81(1), Art. 81(2), Art. 81(3) | 1. Manufacturers of class C and class D devices shall prepare a periodic safety update report ('PSUR') for each device and where relevant for each category or group of devices summarising the results and conclusions of the analyses of the post-market surveillance data gathered as a result of the post-market surveillance plan referred to in Article 79 together with a rationale and description of any preventive and corrective actions taken. Throughout the lifetime of the device concerned, that PSUR shall set out: (a) the conclusions of the benefit-risk determination; (b) the main findings of the PMPF; and (c) the volume of sales of the device and an estimate of the size and other characteristics of the population using the device and, where practicable, the usage frequency of the device. Manufacturers of class C and class D devices shall update the PSUR at least annually. That PSUR shall be part of the technical documentation as specified in Annexes II and III. 2. For class D devices, manufacturers shall submit PSURs by means of the electronic system referred to in Article 87 to the notified body involved in the conformity assessment in accordance with Article 48. The notified body shall review the report and add its evaluation to that electronic system with details of any action taken. Such PSURs and the evaluation by the notified body shall be made available to competent authorities through that electronic system. 3. For class C devices, manufacturers shall make PSURs available to the notified body involved in the conformity assessment and, upon request, to competent authorities. |
| EU IVDR Art. 82(1), Art. 82(2), Art. 82(3), Art. 82(4), Art. 82(5), Art. 82(8) | 1. Manufacturers of devices made available on the Union market, other than devices for performance study, shall report to the relevant competent authorities the following: (a) any serious incident involving devices made available on the Union market, except expected erroneous results which are clearly documented and quantified in the product information and in the technical documentation and are subject to trend reporting pursuant to Article 83; (b) any field safety corrective action in respect of devices made available on the Union market, including any field safety corrective action undertaken in a third country in relation to a device which is also legally made available on the Union market, if the reason for the field safety corrective action is not limited to the device made available in the third country. The reports referred to in the first subparagraph shall be submitted through the electronic system referred to in Article 87. 2. As a general rule, the period for the reporting referred to in paragraph 1 shall take account of the severity of the serious incident. 3. Manufacturers shall report any serious incident as referred to in point (a) of paragraph 1 immediately after they have established a causal relationship between that incident and their device or that such causal relationship is reasonably possible, and not later than 15 days after they become aware of the incident. 4. Notwithstanding paragraph 3, in the event of a serious public health threat the report referred to in paragraph 1 shall be provided immediately, and not later than 2 days after the manufacturer becomes aware of that threat. 5. In the event of death or an unanticipated serious deterioration in a person's state of health the report shall be provided immediately after the manufacturer has established or as soon as it suspects a causal relationship between the device and the serious incident but not later than 10 days after the date on which the manufacturer becomes aware of the serious incident. 8. Except in cases of urgency in which the manufacturer needs to undertake field safety corrective action immediately, the manufacturer shall, without undue delay, report the field safety corrective action referred to in point (b) of paragraph 1 in advance of the field safety corrective action being undertaken. |
| EU IVDR Annex III §1 | The post-market surveillance plan drawn up in accordance with Article 79. The manufacturer shall prove in a post-market surveillance plan that it complies with the obligation referred to in Article 78. (a) The post-market surveillance plan shall address the collection and utilisation of available information, in particular: information concerning serious incidents, including information from PSURs, and field safety corrective actions; records referring to non-serious incidents and data on any undesirable side-effects; information from trend reporting; relevant specialist or technical literature, databases and/or registers; information, including feedbacks and complaints, provided by users, distributors and importers; and publicly-available information about similar medical devices. (b) The post-market surveillance plan shall cover at least: a proactive and systematic process to collect any information referred to in point (a): the process shall allow a correct characterisation of the performance of the devices and shall also allow a comparison to be made between the device and similar products available on the market; effective and appropriate methods and processes to assess the collected data; suitable indicators and threshold values that shall be used in the continuous reassessment of the benefit-risk analysis and of the risk management as referred to in Section 3 of Annex I; effective and appropriate methods and tools to investigate complaints and analyse market-related experience collected in the field; methods and protocols to manage the events subject to the trend report as provided for in Article 83, including the methods and protocols to be used to establish any statistically significant increase in the frequency or severity of incidents as well as the observation period; methods and protocols to communicate effectively with competent authorities, notified bodies, economic operators and users; reference to procedures to fulfil the manufacturers obligations laid down in Articles 78, 79 and 81; systematic procedures to identify and initiate appropriate measures including corrective actions; effective tools to trace and identify devices for which corrective actions might be necessary; and a PMPF plan as referred to in Part B of Annex XIII, or a justification as to why a PMPF is not applicable. |
| Clause we cite | Requirement text we store |
|---|---|
| IMDRF/SaMD WG/N10FINAL:2013 §5.1 (IMDRF, 9 December 2013, p. 6) | The term "Software as a Medical Device" (SaMD) is defined as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device. NOTES: • SaMD is a medical device and includes in-vitro diagnostic (IVD) medical device. • SaMD is capable of running on general purpose (non-medical purpose) computing platforms • "without being part of" means software not necessary for a hardware medical device to achieve its intended medical purpose; • Software does not meet the definition of SaMD if its intended purpose is to drive a hardware medical device. • SaMD may be used in combination (e.g., as a module) with other products including medical devices; • SaMD may be interfaced with other medical devices, including hardware medical devices and other SaMD software, as well as general purpose software • Mobile apps that meet the definition above are considered SaMD. |
| IMDRF/SaMD WG/N10FINAL:2013 §1.0 Introduction + §5.1 Notes (IMDRF, 9 December 2013, pp. 4, 6) | Generally medical purpose software consists of: (1) software in a medical device (sometimes referred to as "embedded" or "part of"); (2) software as a medical device (SaMD). [From §5.1 Notes on the SaMD definition:] "without being part of" means software not necessary for a hardware medical device to achieve its intended medical purpose; Software does not meet the definition of SaMD if its intended purpose is to drive a hardware medical device. [From Appendix §10.1 Clarifying SaMD Definition: Examples of software that are not SaMD:] The SaMD definition states "SaMD is defined as software intended to be used for one or more medical purposes that perform these purposes without being part of a hardware medical device". Examples of software that are considered "part of" include software used to "drive or control" the motors and the pumping of medication in an infusion pump; or software used in closed loop control in an implantable pacemaker or other types of hardware medical devices. These types of software, sometimes referred to as "embedded software", "firmware", or "micro-code" are, not SaMD. Software required by a hardware medical device to perform the hardware's medical device intended use is not SaMD even if/when sold separately from the hardware medical device. Software that relies on data from a medical device, but does not have a medical purpose, e.g., software that encrypts data for transmission from a medical device is not SaMD. Software that enables clinical communication and workflow including patient registration, scheduling visits, voice calling, video calling is not SaMD. Software that monitors performance or proper functioning of a device for the purpose of servicing the device, e.g., software that monitors X-Ray tube performance to anticipate the need for replacement; or software that integrates and analyzes laboratory quality control data to identify increased random errors or trends in calibration on IVDs is not SaMD. |
| IMDRF/SaMD WG/N10FINAL:2013 §5.5 and §5.5.1 (IMDRF, 9 December 2013, p. 9) | For SaMD intended use, the definition in GHTF/SG1/N70:2011 "Label and Instructions for Use for Medical Devices" applies: The term "intended use / intended purpose" is the objective intent of the manufacturer regarding the use of a product, process or service as reflected in the specifications, instructions and information provided by the manufacturer. 5.5.1 Additional considerations for SaMD Although not specifically included in the GHTF definition materials such as sales and marketing materials may be considered as "information provided by the manufacturer" and therefore reflect the objective intent of the manufacturer. Sales and marketing materials should be comprehensive and reflect the intended use of the SaMD. |
| IMDRF/SaMD WG/N12FINAL:2014 §4.0 and §5.0 (IMDRF, 18 September 2014, pp. 9-11) | [§4.0 SaMD Background and Aspects Influencing Patient Safety:] Although many of these aspects may affect the importance of the output information from SaMD, only some of these aspects can be identified by the intended use of SaMD. Generally these aspects can be grouped into the following two major factors that provide adequate description of the intended use of SaMD: A. Significance of the information provided by the SaMD to the healthcare decision, and B. State of the healthcare situation or condition. When these factors are included in the manufacturer's description of intended use, they can be used to categorize SaMD. [§5.1 Significance of information provided by SaMD to healthcare decision:] The intended use of the information provided by SaMD in clinical management has different significance on the action taken by the user. 5.1.1 To treat or to diagnose Treating and diagnosing infers that the information provided by the SaMD will be used to take an immediate or near term action: • To treat/prevent or mitigate by connecting to other medical devices, medicinal products, general purpose actuators or other means of providing therapy to a human body • To diagnose/screen/detect a disease or condition (i.e., using sensors, data, or other information from other hardware or software devices, pertaining to a disease or condition). 5.1.2 To drive clinical management Driving clinical management infers that the information provided by the SaMD will be used to aid in treatment, aid in diagnoses, to triage or identify early signs of a disease or condition will be used to guide next diagnostics or next treatment interventions: • To aid in treatment by providing enhanced support to safe and effective use of medicinal products or a medical device. • To aid in diagnosis by analyzing relevant information to help predict risk of a disease or condition or as an aid to making a definitive diagnosis. • To triage or identify early signs of a disease or conditions. 5.1.3 To Inform clinical management Informing clinical management infers that the information provided by the SaMD will not trigger an immediate or near term action: • To inform of options for treating, diagnosing, preventing, or mitigating a disease or condition. • To provide clinical information by aggregating relevant information (e.g., disease, condition, drugs, medical devices, population, etc.) |
| IMDRF/SaMD WG/N12FINAL:2014 §5.2 (IMDRF, 18 September 2014, pp. 11-12) | 5.2 Healthcare Situation or Condition 5.2.1 Critical situation or condition Situations or conditions where accurate and/or timely diagnosis or treatment action is vital to avoid death, long-term disability or other serious deterioration of health of an individual patient or to mitigating impact to public health. SaMD is considered to be used in a critical situation or condition where: • The type of disease or condition is: o Life-threatening state of health, including incurable states, o Requires major therapeutic interventions, o Sometimes time critical, depending on the progression of the disease or condition that could affect the user's ability to reflect on the output information. • Intended target population is fragile with respect to the disease or condition (e.g., pediatrics, high risk population, etc.) • Intended for specialized trained users. 5.2.2 Serious situation or condition Situations or conditions where accurate diagnosis or treatment is of vital importance to avoid unnecessary interventions (e.g., biopsy) or timely interventions are important to mitigate long term irreversible consequences on an individual patient's health condition or public health. SaMD is considered to be used in a serious situation or condition when: • The type of disease or condition is: o Moderate in progression, often curable, o Does not require major therapeutic interventions, o Intervention is normally not expected to be time critical in order to avoid death, long-term disability or other serious deterioration of health, whereby providing the user an ability to detect erroneous recommendations. • Intended target population is NOT fragile with respect to the disease or condition. • Intended for either specialized trained users or lay users. Note: SaMD intended to be used by lay users in a "serious situation or condition" as described here, without the support from specialized professionals, should be considered as SaMD used in a "critical situation or condition". 5.2.3 Non-Serious situation or condition Situations or conditions where an accurate diagnosis and treatment is important but not critical for interventions to mitigate long term irreversible consequences on an individual patient's health condition or public health. SaMD is considered to be used in a non-serious situation or condition when: • The type of disease or condition is: o Slow with predictable progression of disease state (may include minor chronic illnesses or states), o May not be curable; can be managed effectively, o Requires only minor therapeutic interventions, and o Interventions are normally noninvasive in nature, providing the user the ability to detect erroneous recommendations. • Intended target population is individuals who may not always be patients. • Intended for use by either specialized trained users or lay users. |
| IMDRF/SaMD WG/N12FINAL:2014 §7.0 through §7.3 (IMDRF, 18 September 2014, pp. 13-14) | 7.0 SaMD Categorization 7.1 Categorization Principles The following are necessary principles important in the categorization approach of SaMD. • The categorization relies on an accurate and complete SaMD definition statement. • The determination of the categories is the combination of the significance of the information provided by the SaMD to the healthcare decision and the healthcare situation or condition. • The four categories (I, II, III, IV) are based on the levels of impact on the patient or public health where accurate information provided by the SaMD to treat or diagnose, drive or inform clinical management is vital to avoid death, long-term disability or other serious deterioration of health, mitigating public health. • The categories are in relative significance to each other. Category IV has the highest level of impact, Category I the lowest. • When a manufacturer's SaMD definition statement states that the SaMD can be used across multiple healthcare situations or conditions it is categorized at the highest category according to the information included in the SaMD definition statement. • When a manufacturer makes changes to SaMD, during the lifecycle that results in the change of the definition statement, the categorization of SaMD should be reevaluated appropriately. The SaMD is categorized according to the information included in the changed (new) SaMD definition statement. • SaMD will have its own category according to its SaMD definition statement even when a SaMD is interfaced with other SaMD, other hardware medical devices, or used as a module in a larger system. 7.2 SaMD Categories [Risk Categorization Matrix: verbatim from §7.2 table, IMDRF/SaMD WG/N12FINAL:2014, p. 14] State of Healthcare situation or condition | Treat or diagnose | Drive clinical management | Inform clinical management Critical | IV | III | II Serious | III | II | I Non-serious | II | I | I 7.3 Criteria for Determining SaMD Category Criteria for Category IV – i. SaMD that provides information to treat or diagnose a disease or conditions in a critical situation or condition is a Category IV and is considered to be of very high impact. Criteria for Category III – i. SaMD that provides information to treat or diagnose a disease or conditions in a serious situation or condition is a Category III and is considered to be of high impact. ii. SaMD that provides information to drive clinical management of a disease or conditions in a critical situation or condition is a Category III and is considered to be of high impact. Criteria for Category II – i. SaMD that provides information to treat or diagnose a disease or conditions in a non-serious situation or condition is a Category II and is considered to be of medium impact. ii. SaMD that provides information to drive clinical management of a disease or conditions in a serious situation or condition is a Category II and is considered to be of medium impact. iii. SaMD that provides information to inform clinical management for a disease or conditions in a critical situation or condition is a Category II and is considered to be of medium impact. Criteria for Category I – i. SaMD that provides information to drive clinical management of a disease or conditions in a non-serious situation or condition is a Category I and is considered to be of low impact. ii. SaMD that provides information to inform clinical management for a disease or conditions in a serious situation or condition is a Category I and is considered to be of low impact. iii. SaMD that provides information to inform clinical management for a disease or conditions in a non-serious situation or condition is a Category I and is considered to be of low impact. |
| IMDRF/SaMD WG/N12FINAL:2014 §6.0 (IMDRF, 18 September 2014, pp. 12-13) | 6.0 SaMD Definition Statement The intended use of SaMD is normally reflected in various sources such as the manufacturer's specifications, instructions, and other information provided by the manufacturer. The purpose of the SaMD definition statement and the components identified below are to provide an organized factual framework. Statement "A" and "B" are to help the SaMD developer determine the SaMD category in the categorizing framework, while statement "C" is to help the manufacturer manage changes to SaMD that may result in change of the category and to address considerations specific to SaMD. The SaMD definition statement should include a clear and strong statement about intended use, including the following: A. The "significance of the information provided by the SaMD to the healthcare decision" which identifies the intended medical purpose of the SaMD. The statement should explain how the SaMD meets one or more of the purposes described in the definition of a medical device, e.g. supplying information for diagnosis, prevention, monitoring, treatment etc. This statement should be structured in the following terms as defined in section 5.1. o Treat or diagnose o Drive clinical management o Inform clinical management B. The "state of the healthcare situation or condition" that the SaMD is intended for. This statement should be structured in the following terms as defined in section 5.2. o Critical situation or condition o Serious situation or condition o Non-serious situation or condition C. Description of the SaMD's core functionality which identifies the critical features/functions of the SaMD that are essential to the intended significance of the information provided by the SaMD to the healthcare decision in the intended healthcare situation or condition. This description should include only the critical features. |
| IMDRF/SaMD WG/N12FINAL:2014 §8.1.1 Post Market Surveillance (IMDRF, 18 September 2014, pp. 21-22) | 8.1.1 Post Market Surveillance Software risks can never be totally eliminated so SaMD manufacturers should continually monitor customer issues to maintain the safety level. A monitoring process should include ways to capture customer feedback, e.g., through inquiries, complaints, market studies, focus groups, servicing, etc. The inherent nature of software including SaMD allows for efficient methods to understand and capture user experiences. It is recommended that SaMD manufacturers utilize these feedback techniques to understand failure modes and perform analysis to address safety situations. It is also recommended that SaMD manufacturers extend their monitoring to automatically detect errors of the software or system, i.e., discover and recover from an error before a failure can occur. General considerations associated with the monitoring of SaMD include: 1. Due to its non-physical nature, a SaMD may be duplicated and numerous copies and widely spread, often outside the control of the manufacturer. 2. Often an update made available by the manufacturer is left to the user of the SaMD to install. Manufacturers should make sure that appropriate mitigations address any risks that arise from the existence of different versions of the SaMD on the market. 3. Incident investigations should consider any specific case or combination of use cases that may have contributed to the failure and as appropriate manufacturers should consider accident reconstruction principles, e.g., data logging, black box recorder, etc. |
| IMDRF/SaMD WG/N41FINAL:2017 §5.1 (IMDRF, 21 September 2017, p. 9) | 5.1 Clinical Evaluation of a SaMD For purposes of this document "Clinical evaluation of a SaMD" is defined as a set of ongoing activities conducted in the assessment and analysis of a SaMD's clinical safety, effectiveness and performance as intended by the manufacturer in the SaMD's definition statement. This definition is consistent with prior SaMD documents and is adapted from GHTF SG5 N2R8:2007. [From Glossary, N41:] Clinical Evaluation -- the assessment and analysis of clinical data pertaining to a medical device to verify the clinical safety, performance and effectiveness of the device when used as intended by the manufacturer. |
| IMDRF/SaMD WG/N41FINAL:2017 §1.0 Executive Summary + §7.0 (IMDRF, 21 September 2017, pp. 4, 13) | [§1.0 Executive Summary:] This document describes a converged approach for planning the process for clinical evaluation of a SaMD (software with a medical purpose as defined in SaMD N10), as illustrated in Figure 1, to establish that: • There is a valid clinical association between the output of a SaMD and the targeted clinical condition (to include pathological process or state); and • That the SaMD provides the expected technical and clinical data. [§7.0 SaMD Clinical Evaluation Process Flow Chart:] Clinical evaluation is a systematic and planned process to continuously generate, collect, analyze, and assess the clinical data pertaining to a SaMD in order to generate clinical evidence verifying the clinical association and the performance metrics of a SaMD when used as intended by the manufacturer. The quality and breadth of the clinical evaluation is determined by the role of the SaMD for the target clinical condition, and assures that the output of the SaMD is clinically valid and can be used reliably and predictably. ① Valid Clinical Association: Is there a valid clinical association between your SaMD output, based on the inputs and algorithms selected, and your SaMD's targeted clinical condition? Step 1: Verify that the association between the SaMD output and the targeted clinical condition is supported by evidence. Note: All SaMD should demonstrate a valid clinical association. ② Analytical Validation: Does your SaMD meet technical requirements? Step 1: Generate evidence that shows that the output of your SaMD is technically what you expected. Note: All SaMD should demonstrate analytical validation. ③ Clinical Validation: Does your SaMD generate clinically relevant outputs? Step 1: Generate evidence that shows your: • SaMD has been tested in your target population and for your intended use; and that • Users can achieve clinically meaningful outcomes through predictable and reliable use. Note: All SaMD should demonstrate clinical validation. |
| IMDRF/SaMD WG/N41FINAL:2017 §5.3 (IMDRF, 21 September 2017, p. 9) | 5.3 Analytical / Technical Validation of a SaMD Analytical validation measures the ability of a SaMD to accurately, reliably and precisely generate the intended technical output from the input data. Said differently, analytical validation: • Confirms and provides objective evidence that the software was correctly constructed – namely, correctly and reliably processes input data and generates output data with the appropriate level of accuracy, and repeatability and reproducibility (i.e., precision); and • Demonstrates that (a) the software meets its specifications and (b) the software specifications conform to user needs and intended uses. The analytical validation is generally evaluated and determined by the manufacturer during the verification and validation phase of the software development lifecycle using a QMS. Analytical validation is necessary for any SaMD. |
| IMDRF/SaMD WG/N41FINAL:2017 §5.4 (IMDRF, 21 September 2017, p. 10) | 5.4 Clinical Validation of a SaMD Clinical validation measures the ability of a SaMD to yield a clinically meaningful output associated to the target use of SaMD output in the target health care situation or condition identified in the SaMD definition statement. Clinically meaningful means the positive impact of a SaMD on the health of an individual or population, to be specified as meaningful, measurable, patient-relevant clinical outcome(s), including outcome(s) related to the function of the SaMD (e.g., diagnosis, treatment, prediction of risk, prediction of treatment response), or a positive impact on individual or public health. Clinical validity is evaluated and determined by the manufacturer during the development of a SaMD before it is distributed for use (pre-market) and after distribution while the SaMD is in use (post-market). Clinical validation of a SaMD can also be viewed as the relationship between the verification and validation results of the SaMD algorithm and the clinical conditions of interest. Clinical validation is a necessary component of clinical evaluation for all SaMD and can be demonstrated by either: • Referencing existing data from studies conducted for the same intended use; • Referencing existing data from studies conducted for a different intended use, where extrapolation of such data can be justified; or • Generating new clinical data for a specific intended use. Clinical validation is necessary for any SaMD. |
| IMDRF/SaMD WG/N41FINAL:2017 §8.0 (IMDRF, 21 September 2017, pp. 16-17) | 8.0 Importance of Independent Review of a SaMD's Clinical Evaluation SaMD categories are based on the levels of impact on the patient or public health where accurate information provided by the SaMD is important to treat or diagnose, drive clinical management or inform clinical management. For additional information on SaMD categorization, please see Section 7.0 in SaMD N12. As part of the risk-based approach, and subject to individual jurisdiction's laws, independent review of clinical evidence of certain low-risk SaMD may be less important and the manufacturer may 'self-declare' the appropriateness of the evidence. Again, subject to individual jurisdiction's laws, independent review of clinical evidence of more high-risk SaMD is more important in providing users the confidence in the SaMD's performance metrics, including but not limited to, identification of design errors or limitation, broadening technical competence, testing the appropriateness of assumptions, and management of bias. The recommendation for independent review highlights where the evidence generated from the clinical evaluation of the SaMD should be reviewed by someone who has not been significantly involved in the development of the SaMD, and who does not have anything to gain from the SaMD, and who can objectively assess the SaMD's intended purpose and the conformity with the overall clinical evaluation evidence. The level of clinical evaluation and importance of independent review should be commensurate with the risk posed by the SaMD. This document recommends where independent review is more or less important. Independent review is more important for SaMD that 'Treats/Diagnoses Serious and Critical' health care situations and conditions and SaMD that 'Drives Critical' health care situations and conditions. Independent review in this document does not necessarily imply regulatory review but instead demonstrates the concept where independence in review of the results is important. For purposes of this document 'more important' independent review may be conducted by outside experts such as formal consultation with regulators, third parties on behalf of regulators, or the editorial board of a peer-reviewed journal, but may also be conducted by "non-conflicted" internal expert reviewers without significant involvement in the development of the SaMD. |
| IMDRF/SaMD WG/N41FINAL:2017 §9.0 and §9.1 (IMDRF, 21 September 2017, pp. 18-20) | 9.0 Pathway for Continuous Learning Leveraging Real World Performance Data SaMD may leverage connectivity between devices, and people to continuously monitor the safety, effectiveness and performance of the SaMD. A SaMD manufacturer may have a hypothesis about future functionality and intended use of a SaMD that may be informed by continuously collecting and analyzing data on use of the SaMD in a post-market setting. Monitoring real world performance data can help the SaMD functionality and intended use evolve after initial introduction into the market. Such data may include post-market information such as safety data, results from performance studies, on-going clinical evidence generation for medical devices, new research publications / results that support or strengthen the clinical association of the SaMD output to a clinical condition, or direct end-user feedback, that can help the SaMD manufacturer understand the real world performance of the SaMD. This may lead to a change to the SaMD definition statement if supported by the clinical evidence generated through clinical evaluation leveraging real world performance data from the continuous monitoring. 9.1 Considerations for Continuous Learning Leveraging Real World Performance Data • SaMD should facilitate post-market information gathering to allow for disablement of existing or enablement of new functionality within the SaMD. • It is not necessary for the collection of real world performance data by the SaMD manufacturer to rely on the active involvement of the end user. The SaMD manufacturer should aim to impose the least burdensome approach possible in its data collection and leverage the capability of SaMD to collect clinical evidence. • With ongoing clinical evaluation the risk categorisation may potentially change, necessitating a change in the SaMD definition statement. • Real world performance data including post-market information may not be sufficient to generate complete clinical evidence necessary for a change to the SaMD definition statement; as such the SaMD manufacturer should appropriately take into account other clinical evaluation steps required to support the change in SaMD definition statement. • Manufacturers should appropriately review the post-market information collected to determine if there are any changes to the safety, effectiveness or performance, or possible impact on benefits and risks of the SaMD that would indicate a need for a design change or a labeling change regarding contraindications, warnings, precautions or instructions for use. The labeling should identify limitations of the SaMD relevant to its clinical performance and interpretation of its output in a way that is understood by end users. The assessment of post-market information may also lead to a change of intended use (e.g., expansion, modification, or restriction). NOTE: A change to the SaMD definition statement may be subject to regulatory requirements in the individual jurisdiction and a SaMD manufacturer should consult with the regulatory authorities in their jurisdiction. [From Glossary, N41:] The "continuous learning" referred to here is not "machine learning software" (i.e., where software device keeps learning automatically after it has been released into the market); rather it refers to collecting post-market information. |
| IMDRF/SaMD WG/N41FINAL:2017 §3.0 Introduction + §6.2 (IMDRF, 21 September 2017, pp. 7, 12) | [§3.0 Introduction:] The document further explains that: • Clinical evaluation should be an iterative and continuous process as part of the quality management system for medical devices (See SaMD N23 for more information); • Certain SaMD may require independent review of the results of the clinical evaluation, akin to peer review or design review, to ensure that the SaMD is clinically meaningful to users. The level of evaluation and independent review should be commensurate with the risk posed by the specific SaMD (See SaMD N12 for more information); and • Software is unique in its level of connectivity, which may allow the continuous monitoring of the safety, effectiveness, and performance of SaMD. This document encourages manufacturers to use this feature to understand and modify software based on real-world performance. Healthcare decisions increasingly rely on information provided by the output of SaMD where these decisions can impact clinical outcomes and patient care. As such, global regulators expect that performance metrics for a SaMD have a scientific level of rigor that is commensurate with the risk and impact of the SaMD to demonstrate assurance of safety, effectiveness, and performance. [§6.2 Clinical Evaluation Processes:] A SaMD manufacturer is expected to implement on-going lifecycle processes to thoroughly evaluate the product's performance in its intended market. As part of normal new product introduction processes, prior to product launch (pre-market) the manufacturer generates evidence of the product's accuracy, specificity, sensitivity, reliability, limitations, and scope of use in the intended use environment with the intended user, and generates a SaMD definition statement. Once the product is on the market (post-market), as part of normal lifecycle management processes, the manufacturer continues to collect real world performance data (e.g., complaints, safety data), to further understand the customer's needs to ensure the product is meeting those needs, and to monitor the product's continued safety, effectiveness and performance in real-world use. This real world performance data allows the manufacturer to identify and correct any problems, support future expansions in functionality, meet anticipated user demands, or improve the effectiveness of the device. |
| Clause we cite | Requirement text we store |
|---|---|
| ISO 13485:2016 §4-8 (general QMS requirement, incorporated via 21 CFR §820.10(a), 89 FR 7523, Feb. 2, 2024) | A manufacturer subject to this part as described by § 820.1(a) must: (a) Document. Document a quality management system that complies with the applicable requirements of ISO 13485 (incorporated by reference, see § 820.7) and other applicable requirements of this part; and (b) Applicable regulatory requirements. Comply, as appropriate, with the other applicable regulatory requirements in this title, including, but not limited to the following, to fully comply with the listed ISO 13485 Clause: (1) For Clause 7.5.8 in ISO 13485, Identification, the manufacturer must document a system to assign unique device identification to the medical device in accordance with the requirements of part 830 of this chapter. (2) For Clause 7.5.9.1 in ISO 13485, Traceability:General, the manufacturer must document procedures for traceability in accordance with the requirements of part 821 of this chapter, if applicable. (3) For Clause 8.2.3 in ISO 13485, Reporting to regulatory authorities, the manufacturer must notify FDA of complaints that meet the reporting criteria of part 803 of this chapter. (4) For Clauses 7.2.3, 8.2.3, and 8.3.3, advisory notices shall be handled in accordance with the requirements of part 806 of this chapter. [Source: 21 CFR §820.10, verbatim from 89 FR 7523, Feb. 2, 2024 (document 2024-01709, 89 FR 7496). Effective Feb. 2, 2026.] |
| ISO 13485:2016 §8.2.1 Feedback (incorporated by reference via 21 CFR §820.10(a) and §820.7(b), 89 FR 7523) | [VERBATIM GAP: see file-level notice. The following is the verbatim incorporation-by-reference provision from 21 CFR §820.7(b) that makes Clause 8.2.1 binding US law:] (b) ISO 13485:2016(E) ("ISO 13485"), Medical devices:Quality management systems:Requirements for regulatory purposes, Third edition, March 1, 2016; IBR approved for §§ 820.1, 820.3, 820.10, 820.35, and 820.45. [Source: 21 CFR §820.7(b), verbatim from 89 FR 7523, Feb. 2, 2024 (document 2024-01709, 89 FR 7496). Effective Feb. 2, 2026.] [QMSR preamble context (89 FR 7496): ISO 13485 Clause 8.2.1 requires the organization to establish a documented procedure to collect and analyse data from post-production activities as part of a feedback system. This feedback system serves as an early warning signal for quality problems and is a direct input to corrective action and preventive action (CAPA) processes. The QMSR incorporates this clause in full by reference; no supplemental US regulatory text was added for Clause 8.2.1 specifically.] |
| ISO 13485:2016 §8.2.2 Complaint Handling (21 CFR §820.35(a), 89 FR 7523) | In addition to the requirements of Clause 4.2.5 in ISO 13485 (incorporated by reference, see § 820.7), Control of Records, the manufacturer must include the following information in certain records: (a) Records of complaints. In addition to Clause 8.2.2 in ISO 13485, Complaint Handling, the manufacturer shall maintain records of the review, evaluation, and investigation for any complaints involving the possible failure of a device, labeling, or packaging to meet any of its specifications. If an investigation has already been performed for a similar complaint, another investigation is not necessary, and the manufacturer shall maintain records documenting justification for not performing such investigation. For complaints that must be reported to FDA under part 803 of this chapter, complaints that a manufacturer determines must be investigated, and complaints that the manufacturer investigated regardless of those requirements, the manufacturer must record the following information: (1) The name of the device; (2) The date the complaint was received; (3) Any unique device identifier (UDI) or universal product code (UPC), and any other device identification(s); (4) The name, address, and phone number of the complainant; (5) The nature and details of the complaint; (6) Any correction or corrective action taken; and (7) Any reply to the complainant. [Source: 21 CFR §820.35(a), verbatim from 89 FR 7523, Feb. 2, 2024 (document 2024-01709, 89 FR 7496). Effective Feb. 2, 2026. This section supplements ISO 13485 Clause 8.2.2 with additional US-specific record requirements. ISO 13485 Clause 8.2.2 itself is incorporated by reference via §820.10(a) and §820.7(b).] |
| ISO 13485:2016 §8.2.3 Reporting to Regulatory Authorities (21 CFR §820.10(b)(3)-(4), 89 FR 7523) | (b) Applicable regulatory requirements. Comply, as appropriate, with the other applicable regulatory requirements in this title, including, but not limited to the following, to fully comply with the listed ISO 13485 Clause: (3) For Clause 8.2.3 in ISO 13485, Reporting to regulatory authorities, the manufacturer must notify FDA of complaints that meet the reporting criteria of part 803 of this chapter. (4) For Clauses 7.2.3, 8.2.3, and 8.3.3, advisory notices shall be handled in accordance with the requirements of part 806 of this chapter. [Source: 21 CFR §820.10(b)(3)-(4), verbatim from 89 FR 7523, Feb. 2, 2024 (document 2024-01709, 89 FR 7496). Effective Feb. 2, 2026. ISO 13485 Clause 8.2.3 itself is incorporated by reference via §820.10(a) and §820.7(b). The QMSR cross-references 21 CFR Part 803 (Medical Device Reporting, MDR) as the specific mechanism for US reporting obligations under Clause 8.2.3.] |
| ISO 13485:2016 §8.5.2 Corrective Action (incorporated by reference via 21 CFR §820.10(a) and §820.7(b), 89 FR 7523) | [VERBATIM GAP: see file-level notice. The following is the verbatim incorporation-by-reference provision from 21 CFR §820.7(b) that makes Clause 8.5.2 binding US law:] (b) ISO 13485:2016(E) ("ISO 13485"), Medical devices:Quality management systems:Requirements for regulatory purposes, Third edition, March 1, 2016; IBR approved for §§ 820.1, 820.3, 820.10, 820.35, and 820.45. [Source: 21 CFR §820.7(b), verbatim from 89 FR 7523, Feb. 2, 2024 (document 2024-01709, 89 FR 7496). Effective Feb. 2, 2026.] [QMSR preamble context (89 FR 7496): Clause 8.5.2 of ISO 13485 addresses corrective action (CA). The QMSR preamble states: "Clauses 8.2.2, 8.5.2, and 8.3.1 of ISO 13485 address investigations of complaints, sharing relevant information between the organization and any external party involved in the complaints, determining the need to investigate nonconformities and any need to notify an external party responsible for a nonconformity." The preamble further notes that ISO 13485 has one Clause outlining corrective action (Clause 8.5.2) and another for preventive action (Clause 8.5.3), both incorporated by reference into the QMSR. The former 21 CFR §820.100 (QS Regulation CAPA requirements) has been withdrawn; compliance is now through ISO 13485 Clause 8.5.2 directly.] |
| ISO 13485:2016 §7.3 Design and Development (21 CFR §820.10(c), 89 FR 7523) | (c) Design and development. Manufacturers of class II, class III, and those class I devices listed in paragraph (c)(1) of this section and table 1 to paragraph (c)(2) of this section must comply with the requirements in Design and Development, Clause 7.3 and its Subclauses in ISO 13485. The class I devices are as follows: (1) Devices automated with computer software; and (2) The devices listed in the following table: Table 1 to Paragraph (c)(2) Section | Device 868.6810 | Catheter, Tracheobronchial Suction. 878.4460 | Glove, Non-powdered Surgeon's. 880.6760 | Restraint, Protective. 892.5650 | System, Applicator, Radionuclide, Manual. 892.5740 | Source, Radionuclide Teletherapy. [Source: 21 CFR §820.10(c), verbatim from 89 FR 7523, Feb. 2, 2024 (document 2024-01709, 89 FR 7496). Effective Feb. 2, 2026. ISO 13485 Clause 7.3 and its subclauses (7.3.1 through 7.3.10) are incorporated by reference via §820.10(a) and §820.7(b). The QMSR preamble notes that Clause 7.3.10 requires the design and development file to contain or reference all records necessary to establish compliance with design and development requirements, including the design and development plan and design and development procedures.] |
| 21 CFR §820.7(b): Incorporation by Reference of ISO 13485:2016 (89 FR 7523) | § 820.7 Incorporation by reference. Certain material is incorporated by reference into this part with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. All approved incorporation by reference (IBR) material is available for inspection at the Food and Drug Administration, and at the National Archives and Records Administration (NARA). Contact FDA at: Dockets Management Staff, 5630 Fishers Lane, Rm. 1061, Rockville, MD 20852; 240-402-7500; https://www.regulations.gov/document/ FDA-2013-S-0610-0003. For information on the availability of this material at NARA, visit www.archives.gov/federal-register/cfr/ibr-locations or email fr.inspection@nara.gov. This material may be obtained from the International Organization for Standardization (ISO), BIBC II, Chemin de Blandonnet 8, CP 401, 1214 Vernier, Geneva, Switzerland; +41-22-749-01-11; customerservice@iso.org, https://www.iso.org/store.html. (a) ISO 9000:2015(E) ("ISO 9000"), Quality Management systems:Fundamentals and vocabulary, Clause 3:Terms and definitions, Fourth edition, September 15, 2015. IBR approved for § 820.3. (b) ISO 13485:2016(E) ("ISO 13485"), Medical devices:Quality management systems:Requirements for regulatory purposes, Third edition, March 1, 2016; IBR approved for §§ 820.1, 820.3, 820.10, 820.35, and 820.45. [Source: 21 CFR §820.7, verbatim from 89 FR 7523, Feb. 2, 2024 (document 2024-01709, 89 FR 7496). Effective Feb. 2, 2026.] |
| Clause we cite | Requirement text we store |
|---|---|
| MepV Art. 49 (SR 812.213) | [GERMAN VERBATIM] Art. 49 Für die Einhaltung der Vorschriften verantwortliche Person 1 Hersteller müssen in ihrer Organisation über mindestens eine Person verfügen, die das erforderliche Fachwissen auf dem Gebiet der Medizinprodukte aufweist und die für die Einhaltung der Vorschriften verantwortlich ist. 2 Der Nachweis des erforderlichen Fachwissens der für die Einhaltung der Vorschrif- ten verantwortlichen Person, die Verantwortung dieser Person sowie Ausnahmen und die weiteren Modalitäten richten sich nach Artikel 15 EU-MDR. 3 Die Stellvertretung der für die Einhaltung der Vorschriften verantwortlichen Person muss sichergestellt sein. Sind mehrere Personen gemeinsam für die Einhaltung der Vorschriften verantwortlich, so müssen ihre jeweiligen Aufgabenbereiche schriftlich festgehalten werden. 4 Die für die Einhaltung der Vorschriften verantwortliche Person darf im Zusammen- hang mit der korrekten Erfüllung ihrer Pflichten innerhalb der Organisation des Herstellers keinerlei Nachteile erleiden, und zwar unabhängig davon, ob sie eine Beschäftigte der Organisation ist oder nicht. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 49 Person responsible for regulatory compliance 1 Manufacturers shall have available in their organisation at least one person who possesses the requisite expertise in the field of medical devices and who is responsible for regulatory compliance. 2 Proof of the requisite expertise of the person responsible for regulatory compliance, the responsibilities of that person, as well as exceptions and further modalities, shall be governed by Article 15 EU-MDR. 3 A deputy for the person responsible for regulatory compliance shall be ensured. Where several persons are jointly responsible for regulatory compliance, their respective areas of responsibility shall be set out in writing. 4 The person responsible for regulatory compliance shall not be penalised, within the manufacturer's organisation, in connection with the proper fulfilment of their duties, regardless of whether they are an employee of the organisation. |
| MepV Art. 52 (SR 812.213) | [GERMAN VERBATIM] Art. 52 Für die Einhaltung der Vorschriften verantwortliche Person 1 Bevollmächtigte müssen dauerhaft und ständig auf mindestens eine Person zurück- greifen können, die das erforderliche Fachwissen über die Anforderungen für Medi- zinprodukte nach dieser Verordnung aufweist und für die Einhaltung der Vorschriften verantwortlich ist. 2 Im Übrigen gilt Artikel 49 Absätze 2–4 sinngemäss. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 52 Person responsible for regulatory compliance (Authorized Representative) 1 Authorized representatives shall have permanent and continuous access to at least one person who possesses the requisite expertise in the requirements for medical devices under this Ordinance and who is responsible for regulatory compliance. 2 In all other respects, Article 49 paragraphs 2–4 shall apply mutatis mutandis. |
| MepV Art. 56 (SR 812.213) | [GERMAN VERBATIM] Art. 56 System 1 Für jedes Produkt müssen die Hersteller in einer der Risikoklasse und der Art des Produkts angemessenen Weise ein System zur Überwachung nach dem Inverkehr- bringen planen, einrichten, dokumentieren, anwenden, instand halten und auf den neu- esten Stand bringen. Dieses System ist integraler Bestandteil des Qualitätsmanage- mentsystems des Herstellers. 2 Das System muss geeignet sein, aktiv und systematisch einschlägige Daten über die Qualität, die Leistung und die Sicherheit eines Produkts während dessen gesamter Lebensdauer zu sammeln, aufzuzeichnen und zu analysieren sowie die erforderlichen Schlussfolgerungen zu ziehen und etwaige Präventiv- oder Korrekturmassnahmen zu ermitteln, durchzuführen und zu überwachen. 3 Die Modalitäten des Systems, insbesondere die sich daraus ergebenden Massnah- men, Aktualisierungen und Anpassungen der technischen Dokumentation, richten sich nach Artikel 83 Absatz 3 EU-MDR. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 56 System 1 For each device, manufacturers shall plan, set up, document, implement, maintain and update a post-market surveillance system in a manner that is appropriate to the risk class and type of the device. That system shall be an integral part of the manufacturer's quality management system. 2 The system shall be suited to actively and systematically gathering, recording and analysing relevant data about the quality, performance and safety of a device throughout its entire lifetime, drawing the necessary conclusions and determining, implementing and monitoring any preventive or corrective actions. 3 The modalities of the system, in particular the resulting measures, updates and adaptations of the technical documentation, shall be governed by Article 83 paragraph 3 EU-MDR. |
| MepV Art. 57 (SR 812.213) | [GERMAN VERBATIM] Art. 57 Vorkommnisse und Massnahmen 1 Zeigt sich im Verlauf der Überwachung nach dem Inverkehrbringen, dass Präventiv- oder Korrekturmassnahmen oder beides erforderlich sind, so ergreift der Hersteller die geeigneten Massnahmen und unterrichtet die zuständigen Behörden und gegebe- nenfalls die bezeichnete Stelle. 2 Stellt der Hersteller ein schwerwiegendes Vorkommnis fest oder ergreift er aus me- dizinischen oder technischen Gründen eine Massnahme zur Verhinderung oder Ver- ringerung des Risikos eines solchen Vorkommnisses im Zusammenhang mit einem auf dem Markt bereitgestellten Produkt (Sicherheitskorrekturmassnahme im Feld), so ist dies gemäss Artikel 66 zu melden. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 57 Incidents and measures 1 If, in the course of post-market surveillance, it emerges that preventive or corrective actions or both are necessary, the manufacturer shall take the appropriate measures and inform the competent authorities and, where applicable, the notified body. 2 If the manufacturer identifies a serious incident or takes a measure, for medical or technical reasons, to prevent or reduce the risk of such an incident in connection with a device made available on the market (field safety corrective action), this shall be reported in accordance with Article 66. |
| MepV Art. 58 (SR 812.213) | [GERMAN VERBATIM] Art. 58 Plan Der Plan zur Überwachung nach dem Inverkehrbringen muss den Anforderungen nach Anhang III Abschnitt 1 EU-MDR genügen. Ausser bei Sonderanfertigungen ist der Plan Teil der technischen Dokumentation nach Anhang II EU-MDR. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 58 Plan The post-market surveillance plan shall meet the requirements of Section 1 of Annex III EU-MDR. Except in the case of custom-made devices, the plan shall form part of the technical documentation in accordance with Annex II EU-MDR. |
| MepV Art. 59 (SR 812.213) | [GERMAN VERBATIM] Art. 59 Bericht 1 Hersteller von Produkten der Klasse I erstellen einen Bericht zur Überwachung nach dem Inverkehrbringen. 2 Der Bericht enthält: a. eine Zusammenfassung der Ergebnisse und Schlussfolgerungen der Analysen der aufgrund des Plans gemäss Artikel 58 gesammelten Daten; b. eine Beschreibung allfälliger ergriffener Präventiv- oder Korrekturmass- nahmen einschliesslich deren Begründung. 3 Er ist Teil der technischen Dokumentation über die Überwachung nach dem Inver- kehrbringen nach Anhang III EU-MDR. 4 Der Hersteller aktualisiert den Bericht bei Bedarf und stellt ihn der zuständigen Be- hörde auf Ersuchen zur Verfügung. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 59 Report (Class I devices) 1 Manufacturers of Class I devices shall draw up a post-market surveillance report. 2 The report shall contain: a. a summary of the results and conclusions of the analyses of the data gathered on the basis of the plan pursuant to Article 58; b. a description of any preventive or corrective actions taken including their justification. 3 It shall form part of the technical documentation on post-market surveillance in accordance with Annex III EU-MDR. 4 The manufacturer shall update the report when necessary and make it available to the competent authority upon request. |
| MepV Art. 60–61 (SR 812.213) | [GERMAN VERBATIM] Art. 60 Pflicht 1 Hersteller von Produkten der Klassen IIa, IIb und III erstellen für jedes Produkt und gegebenenfalls für jede Produktkategorie oder Produktgruppe einen Sicherheitsbe- richt. 2 Die Hersteller von Produkten der Klasse IIa aktualisieren den Sicherheitsbericht bei Bedarf, mindestens jedoch alle zwei Jahre. Die Hersteller von Produkten der Klassen IIb und III aktualisieren diesen Bericht mindestens einmal jährlich. Art. 61 Inhalt 1 Der Sicherheitsbericht enthält: a. eine Zusammenfassung der Ergebnisse und Schlussfolgerungen der Analysen der gesammelten Daten auf der Grundlage des Plans nach Artikel 58; b. eine Beschreibung allfällig ergriffener Präventiv- oder Korrekturmassnahmen und deren Begründung. 2 Während der gesamten Lebensdauer des betreffenden Produkts bleiben im Sicher- heitsbericht aufgeführt: a. die Schlussfolgerungen aus der Nutzen-Risiko-Abwägung; b. die wichtigsten Ergebnisse der klinischen Nachbeobachtung nach dem Inver- kehrbringen; c. die Gesamtabsatzmenge des Produkts; d. eine Schätzung der Anzahl Personen, bei denen das betreffende Produkt zur Anwendung kommt; e. Merkmale der Personen nach Buchstabe d; f. die Häufigkeit der Produktanwendung, sofern dies praktikabel ist. 3 Der Sicherheitsbericht bildet Teil der technischen Dokumentation gemäss den An- hängen II und III EU-MDR. Bei Sonderanfertigungen ist er Teil der Dokumentation nach Anhang XIII Abschnitt 2 EU-MDR. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 60 Obligation (PSUR) 1 Manufacturers of Class IIa, IIb and III devices shall draw up a safety report for each device and, where applicable, for each device category or group. 2 Manufacturers of Class IIa devices shall update the safety report when necessary, but at least every two years. Manufacturers of Class IIb and III devices shall update that report at least once a year. Art. 61 Content (PSUR) 1 The safety report shall contain: a. a summary of the results and conclusions of the analyses of the data gathered on the basis of the plan pursuant to Article 58; b. a description of any preventive or corrective actions taken and their justification. 2 Throughout the lifetime of the device concerned, the safety report shall set out: a. the conclusions of the benefit-risk determination; b. the main findings of the post-market clinical follow-up; c. the total volume of sales of the device; d. an estimate of the size of the population using the device concerned; e. characteristics of the persons referred to in point d; f. the frequency of use of the device, where practicable. 3 The safety report shall form part of the technical documentation in accordance with Annexes II and III EU-MDR. In the case of custom-made devices, it shall form part of the documentation in accordance with Section 2 of Annex XIII EU-MDR. |
| MepV Art. 66 (SR 812.213) | [GERMAN VERBATIM] Art. 66 Meldepflicht 1 Der Hersteller eines in der Schweiz bereitgestellten Produkts oder die Person, die gemäss Artikel 22 Absätze 1 und 3 EU-MDR Systeme oder Behandlungseinheiten zusammenstellt und in der Schweiz bereitstellt, muss der Swissmedic melden: a. schwerwiegende Vorkommnisse im Zusammenhang mit dem betreffenden Produkt, die in der Schweiz geschehen sind, sobald er oder sie davon Kenntnis erhält; b. in der Schweiz ergriffene Sicherheitskorrekturmassnahmen im Feld. 2 Ausnahmen zu dieser Meldepflicht, die Modalitäten, die Mitteilung von periodi- schen Sammelmeldungen, die Meldung von Trends sowie die Analyse der schwer- wiegenden Vorkommnisse und der Sicherheitskorrekturmassnahmen im Feld richten sich nach den Artikeln 27 Absatz 5 und 87–89 EU-MDR. 2bis Wird nach Artikel 51 ein Bevollmächtigter verlangt, so trägt dieser die Verant- wortung für die Meldung nach Absatz 1. Zudem reicht der Bevollmächtigte unaufge- fordert die Trendberichte nach Absatz 2 bezüglich Vorkommnissen in der Schweiz sowie im Ausland bei der Swissmedic ein. Abschlussberichte gemäss Artikel 89 EU-MDR sind der Swissmedic einzureichen. Die Übertragung dieser Pflichten vom Hersteller oder von der Person, die gemäss Artikel 22 Absätze 1 und 3 EU-MDR Systeme oder Behandlungseinheiten zusammenstellt, auf den Bevollmächtigten ist im Mandat schriftlich zu vereinbaren. 4 Wer als Fachperson bei der Anwendung von Produkten ein schwerwiegendes Vor- kommnis feststellt, muss dieses dem Lieferanten und der Swissmedic melden. Die Meldung kann durch eine Fachgesellschaft erfolgen. Die Fristen richten sich nach Artikel 87 EU-MDR. 5 Die Meldungen an die Swissmedic haben elektronisch und maschinenlesbar zu er- folgen. Die Swissmedic veröffentlicht Informationen zur elektronischen Übermittlung sowie die dabei zu verwendenden Formblätter mit den Vorgaben zu den Inhalten. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 66 Reporting obligation 1 The manufacturer of a device made available in Switzerland, or the person who assembles systems or procedure packs in accordance with Article 22 paragraphs 1 and 3 EU-MDR and makes them available in Switzerland, shall report to Swissmedic: a. serious incidents in connection with the device concerned that have occurred in Switzerland, as soon as they become aware of them; b. field safety corrective actions taken in Switzerland. 2 Exceptions to this reporting obligation, the modalities, the submission of periodic summary reports, trend reporting, and the analysis of serious incidents and field safety corrective actions shall be governed by Article 27 paragraph 5 and Articles 87–89 EU-MDR. 2bis Where an authorized representative is required pursuant to Article 51, that representative shall bear responsibility for reporting pursuant to paragraph 1. In addition, the authorized representative shall submit to Swissmedic, on their own initiative, trend reports pursuant to paragraph 2 regarding incidents in Switzerland and abroad. Final reports pursuant to Article 89 EU-MDR shall be submitted to Swissmedic. The transfer of these obligations from the manufacturer or from the person who assembles systems or procedure packs to the authorized representative shall be agreed upon in writing in the mandate. 4 Any professional who, in the course of using devices, identifies a serious incident shall report it to the supplier and to Swissmedic. Reporting may be carried out by a professional society. Time limits shall be governed by Article 87 EU-MDR. 5 Reports to Swissmedic shall be submitted electronically and in machine-readable form. Swissmedic shall publish information on electronic submission and the forms to be used with the requirements for their content. |
| MepV Art. 67 (SR 812.213) | [GERMAN VERBATIM] Art. 67 Meldesystem in Spitälern 1 Für die Meldungen nach Artikel 66 Absatz 4 errichten die Spitäler ein internes Mel- desystem im Rahmen eines etablierten Qualitätsmanagementsystems. 2 Sie bezeichnen eine geeignete sachkundige Person (Vigilance-Kontaktperson) mit medizinischer oder technischer Ausbildung, welche die Meldepflicht gegenüber der Swissmedic wahrnimmt. Sie melden die Angaben zu dieser Person der Swissmedic. 3 Die Aufbewahrungspflicht für Aufzeichnungen und alle Unterlagen, die im Rahmen des Qualitätsmanagementsystems der Vigilance erstellt worden sind, beträgt mindes- tens 15 Jahre. [UNOFFICIAL ENGLISH TRANSLATION: Informational only. The German text (SR 812.213) is the sole legally binding version. Do not rely on this translation for compliance decisions.] Art. 67 Reporting system in hospitals 1 For the purposes of reporting pursuant to Article 66 paragraph 4, hospitals shall establish an internal reporting system within the framework of an established quality management system. 2 They shall designate a suitably qualified person (vigilance contact person) with medical or technical training who shall fulfil the reporting obligation vis-à-vis Swissmedic. They shall report the particulars of this person to Swissmedic. 3 The obligation to retain records and all documents produced within the quality management system of vigilance shall be at least 15 years. |
| Clause we cite | Requirement text we store |
|---|---|
| ICH E6(R3) §II (Principles of ICH GCP) | [FAIR-USE EXCERPT: © ICH; full text not reproduced, see url.] ICH E6(R3) §II: "The Principles of GCP are designed to be flexible and applicable to a broad range of clinical trials." Summary: GCP is framed as an overarching, risk-based, proportionate and media-neutral set of principles, so quality and oversight expectations scale to the characteristics and risks of the individual trial rather than a fixed checklist. |
| ICH E6(R3) Annex 1 §3.10.1 (Risk Management) | [FAIR-USE EXCERPT: © ICH; full text not reproduced, see url.] ICH E6(R3) §3.10.1.1: "Risks should be considered across the processes and systems, including computerised systems, used in the clinical trial". Summary: the sponsor must identify and manage risks to critical-to-quality factors before and throughout the trial under a proportionate, risk-based quality-management system that explicitly includes computerised systems: the clause an AI risk-based-monitoring tool operates inside. |
| ICH E6(R3) Annex 1 §9.3 (Computerised systems) | [FAIR-USE EXCERPT: © ICH; full text not reproduced, see url.] ICH E6(R3) §9.3: "Computerised systems used in clinical trials should be fit for purpose (e.g., through risk-based validation, if appropriate)". Summary: any computerised (incl. AI) component used in a trial must be fit for purpose, with quality-critical factors addressed in its design or adaptation to ensure the integrity of trial data: fitness/validation is a precondition, not an afterthought. |
| ICH E6(R3) Annex 1 §9.4 + §4 (Records / Data Governance) | [FAIR-USE EXCERPT: © ICH; full text not reproduced, see url.] ICH E6(R3) §9.4: "...record integrity and traceability are maintained and that personal information is protected". Summary: trials must use robust record-management and data-governance processes (Annex 1 §4 spans the data life cycle across investigator and sponsor) so that integrity and traceability are maintained and personal data protected, enabling accurate reporting, interpretation and verification: binding any AI data-capture or transformation step to these controls. |
| Clause we cite | Requirement text we store |
|---|---|
| EMA AI Reflection Paper §2.2 | A key principle is that it is the responsibility of the clinical trial sponsor, marketing authorisation applicant/holder or manufacturer to ensure that all algorithms, models, datasets, and data processing pipelines used are fit for purpose and are in line with legal, ethical, technical, scientific, and regulatory standards as described in EU legislation, GxP standards and current EMA guidelines. Of note, these requirements may in some respects be stricter than what is considered standard practice in the field of data science. |
| EMA AI Reflection Paper §2.2 | A risk-based approach for development, deployment, and performance monitoring of AI/ML tools allows developers to pro-actively define the risks to be managed throughout the system lifecycle. The paper uses the term "high patient risk" for systems affecting patient safety, and "high regulatory impact" for cases where impact on regulatory decision-making is substantial. The degree of risk depends not only on the AI technology and data quality, but also on the context of use and the degree of influence the AI technology exerts, and may vary throughout the lifecycle of the AI-system. |
| EMA AI Reflection Paper §2.3.3.1 (GCP) | The use of AI/ML within the context of clinical trials should meet applicable requirements in the ICH E6 guideline for good clinical practice (GCP) or VICH GL9 (veterinary). If the use could be of high regulatory impact or high patient risk in a clinical trial, and the method has not been previously qualified by the EMA for the specific context of use, the full model architecture, logs from model development, validation and testing, training data and description of the data processing pipeline would likely be considered parts of the clinical trial data or trial protocol dossier and may be requested for comprehensive assessment at the time of market authorisation, clinical trial application or GCP inspection. |
| EMA AI Reflection Paper §2.6 (Governance) | SOPs implementing GxP principles on data and algorithm governance should be extended to include all data, models and algorithms used for AI/ML in cases of high regulatory impact or high patient risk. Aspects related to the governance of all components used, the application of data protection and compliance with applicable data protection laws and ethical standards should be documented and regularly reviewed. |
| EMA AI Reflection Paper §2.7 (Integrity aspects and data protection) | It is the responsibility of the applicant or MAH to ensure that all personal data, including those indirectly held within AI/ML models, are stored and processed in accordance with Union data protection legislation. All data processing activities must comply with the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability, as well as the rights of data subjects and data protection by design and default. As a general recommendation, a specific risk assessment focusing on the AI system should be performed for any personal data processing by AI. |
| Clause we cite | Requirement text we store |
|---|---|
| FDA AI Guidance §IV.A.2 (Step 2) [DRAFT: non-binding] | [DRAFT GUIDANCE: non-binding; do not rely on for compliance decisions.] The context of use (COU) defines the specific role and scope of the AI model used to address a question of interest. The description of the COU should describe in detail what will be modeled and how model outputs will be used. The COU should also include a statement on whether other information (e.g., animal or clinical studies) will be used in conjunction with the model output to answer the question of interest. |
| FDA AI Guidance §IV.A.3 (Step 3) [DRAFT: non-binding] | [DRAFT GUIDANCE: non-binding; do not rely on for compliance decisions.] Model risk is a combination of two factors: (a) model influence, which is the contribution of the evidence derived from the AI model relative to other contributing evidence used to inform the question of interest, and (b) decision consequence, which describes the significance of an adverse outcome resulting from an incorrect decision concerning the question of interest. Assessing model risk is important because the credibility assessment activities used to establish the credibility of AI model outputs should be commensurate with the AI model risk and tailored to the specific COU. |
| FDA AI Guidance §IV.A (7-step framework) [DRAFT: non-binding] | [DRAFT GUIDANCE: non-binding; do not rely on for compliance decisions.] The risk-based credibility assessment framework consists of a 7-step process to establish and assess the credibility of an AI model output for a specific COU based on model risk: Step 1, define the question of interest; Step 2, define the COU; Step 3, assess the AI model risk; Step 4, develop a plan to establish the credibility of AI model output within the COU; Step 5, execute the plan; Step 6, document the results and discuss deviations from the plan; Step 7, determine the adequacy of the AI model for the COU. |
| FDA AI Guidance §IV.B (Life Cycle Maintenance) [DRAFT: non-binding] | [DRAFT GUIDANCE: non-binding; do not rely on for compliance decisions.] Life cycle maintenance refers to the management of changes to AI models, whether incidentally or deliberately, to ensure the model remains fit for use over the drug product life cycle for its COU. AI-based models may be highly sensitive to variations or changes in model inputs because they are data-driven and can be self-evolving (i.e., capable of autonomously adapting without any human intervention). Model performance metrics should be monitored on an ongoing basis, and the level of oversight for a model over its life cycle should be risk-based (i.e., commensurate with the model risk and the COU). |
| Clause we cite | Requirement text we store |
|---|---|
| 21 CFR § 58.33 | The study director has overall responsibility for the technical conduct of the study, as well as for the interpretation, analysis, documentation and reporting of results, and represents the single point of study control. The study director shall assure that: (b) All experimental data, including observations of unanticipated responses of the test system are accurately recorded and verified; (c) Unforeseen circumstances that may affect the quality and integrity of the nonclinical laboratory study are noted when they occur, and corrective action is taken and documented. |
| 21 CFR § 58.35(a)-(b) | A testing facility shall have a quality assurance unit which shall be responsible for monitoring each study to assure management that the facilities, equipment, personnel, methods, practices, records, and controls are in conformance with the regulations in this part. For any given study, the quality assurance unit shall be entirely separate from and independent of the personnel engaged in the direction and conduct of that study. The unit shall inspect each study at intervals adequate to assure the integrity of the study, and shall review the final study report to assure that the reported results accurately reflect the raw data of the nonclinical laboratory study. |
| 21 CFR § 58.130(e) | All data generated during the conduct of a nonclinical laboratory study, except those that are generated by automated data collection systems, shall be recorded directly, promptly, and legibly in ink. In automated data collection systems, the individual responsible for direct data input shall be identified at the time of data input. Any change in automated data entries shall be made so as not to obscure the original entry, shall indicate the reason for change, shall be dated, and the responsible individual shall be identified. |
| 21 CFR § 58.190 | All raw data, documentation, protocols, final reports, and specimens generated as a result of a nonclinical laboratory study shall be retained. There shall be archives for orderly storage and expedient retrieval of all raw data, documentation, protocols, specimens, and interim and final reports. An individual shall be identified as responsible for the archives. Only authorized personnel shall enter the archives. Material retained or referred to in the archives shall be indexed to permit expedient retrieval. |
| 21 CFR § 58.63 | Equipment used for the generation, measurement, or assessment of data shall be adequately tested, calibrated and/or standardized. Written standard operating procedures shall set forth the methods, materials, and schedules for routine inspection, cleaning, maintenance, testing, calibration, and/or standardization of equipment, and shall specify remedial action to be taken in the event of failure or malfunction. Written records shall be maintained of all such operations, including the nature of any defect, how and when it was discovered, and any remedial action taken. |