iFeed core · the structural spine

Governance is the structure that makes quality survivable.

Quality is not a department. Compliance is not a gate. Governance is the structure that makes quality and compliance reproducible across an organisation as it scales · regulators inspect · technology shifts under it. This is the iFeed core: the operating system beneath every domain in the library.

Open the chapters → See the methodology

Standards: ISO 9001 · 13485 · ICH Q9(R1) · Q10 · QMSR · ISO/IEC 42001 Lens: production-floor · GxP regulated Methodology: the methodology

Governance Overview Pillars Substrate History · Evolution Current 2026 Future 2026-2035 AI lens Flow · audit-readiness Players & stakeholders Signals

/ 00

Governance is the operating system beneath every domain.

Standards stack · domain pillars · PDCA cycle

A regulated organisation runs on a stack. Domains — bioanalytical, bioequivalence, clinical trials — sit on top because they are what regulators inspect on the floor. Underneath: governance, the load-bearing layer. Below that: the standards stack, ordered by surface area: ISO/IEC 42001 (AI management), QMSR + ICH Q10 (pharmaceutical quality), ICH Q9(R1) + ISO 13485 (risk + medical devices), ISO 9001 (foundational). Around the outside: a PDCA cycle that makes the whole thing operational.

/ At a glance

The iFeed.governance reference, in headlines.

2026-05-02 · live

Frameworks

10 anchored.

ISO 9001 · ISO 13485 · ICH Q9(R1) · ICH Q10 · ICH Q12 · 21 CFR 820 / QMSR · 21 CFR Part 11 · EU Annex 11 · ISO/IEC 42001 · GAMP 5. The full governance stack.

QMSR effective

2 Feb 2026.

21 CFR 820 harmonised with ISO 13485:2016. Combination-product DHF-to-PQS bridges should be checked as part of QMSR transition readiness.

EU AI Act

Annex III · 2 Aug 2026.

High-risk AI obligations are phased under Regulation (EU) 2024/1689. iFeed treats AI Act timing as an official-source check, especially where medical-device, IVD, and Annex III routes overlap.

ISO/IEC 42001

The AIMS standard.

December 2023 publication. The AI management-system anchor. Where pharma QMS overlaps and where 42001 fills gaps. The certification pathway for AI management systems.

/ Connection

Governance gates all three.

Bioanalytical · Bioequivalence · Clinical trials

Governance is the centre · the structural gate every trial domain passes through. QMS, ALCOA+, ICH Q9(R1), ISO/IEC 42001 — the policy layer that makes the science survivable on inspection day. Click a node to open that space.

/ Chapters

Nine chapters · open any.

Each chapter is its own page · secondary nav above

Chapter 01 · flagship

Pillars: cross-stack governance comparison.

ISO 9001 · ISO 13485 · ICH Q9(R1) · ICH Q10 · ICH Q12 · 21 CFR 820 / QMSR · 21 CFR Part 11 · EU Annex 11 · ISO/IEC 42001 · GAMP 5. Scope · when applies · what each requires · audit-readiness implications.

Open chapter →

Chapter 02 · operational layer

Governance substrate.

QA function structure (corporate vs site). Training programs & competency matrices. Change-control workflows. Deviation handling. CAPA lifecycle. Document-control hierarchy (SOP / WI / forms). Management review cadence. Internal audit programs.

Open chapter →

Chapter 03 · the multi-decade arc

History & evolution.

Pre-1980s no formal QMS in pharma. ISO 9001 (1987) became a broad QMS reference. ISO 13485 (1996) for medical devices. ICH Q10 (2008). FDA Pharmaceutical cGMPs for the 21st Century (2002). MHRA GxP DI (2018). QMSR (Feb 2026). ISO/IEC 42001 (2023). EU AI Act (2024).

Open chapter →

Chapter 04 · live now

Current state: 2026.

QMSR effective 2 February 2026. EU AI Act timing should be checked against the official EUR-Lex text and any later EU implementation updates. ICH E6(R3) operative since January 2025. ISO/IEC 42001 adoption under watch. AI-specific GMP guidance in consultation. Convergence of regulated-AI governance frameworks.

Open chapter →

Chapter 05 · projection

Future scope: 2026-2035.

EU AI Act Annex I high-risk applicability 2 Aug 2027. AI-specific GMP guidance under watch. ISO/IEC 42001 becoming the AI management-system anchor. QMS+AIMS convergence. Continuous-validation paradigm. Regulator AI literacy programs (FDA AI Office, EMA AI WG, MHRA AI airlock). The 2030+ landscape.

Open chapter →

Chapter 06 · the iFeed lens

AI quality governance.

How governance has to absorb AI · the immunity model. The 5 governance shifts AI forces: validation of non-deterministic systems · continuous monitoring · training-data lineage · PCCP-driven model updates · human-in-the-loop architecture. Pre-immunisation → active immunity → adaptive immunity.

Open chapter →

Chapter 07 · operational pipeline

Flow · audit-readiness.

Continuous compliance monitoring → mock audit → pre-inspection review → regulator inspection → 483 response → CAPA → effectiveness verification → management review. FDA OAI/VAI/NAI scoring. EMA risk-based inspection. MHRA risk-based GMP inspection.

Open chapter →

Chapter 08 · who runs the field

People: use cases, players, stakeholders.

Eight regulatory triggers (483 findings, EMA non-compliance, MHRA GxP DI, EU AI Act conformity, ICH Q9(R1), ISO 42001 audits, IRB/IEC findings, CAPA effectiveness). Five player categories: QA/RegOps, third-party auditors and notified bodies, regulators, GxP tech vendors, standards bodies.

Open chapter →

Chapter 09 · the living feed

Signals: governance writing.

The feed of writing relevant to governance practice. EU AI Act, QMSR, ISO/IEC 42001, AI-specific GMP guidance, validation of non-deterministic systems, the immunity-model framing. Connected to the Weekly Signals archive.

Open chapter →

/ 01

Why governance matters.

Three frames · regulatory · operational · strategic

Most regulated organisations treat governance as a regulatory burden — a tax extracted by inspectors and auditors. That frame is correct but incomplete. Governance has three frames simultaneously, and only the third is what makes a company defensible against AI failure modes, regulatory shifts, and the next decade of compliance pressure.

Frame 01

Regulatory.

The minimum surface required to operate. Without it, no submission is reviewable, no inspection survivable, no commercial product viable.

21 CFR 820 / QMSR · 21 CFR Part 11 data integrity
ICH Q10 (PQS) · Q9(R1) risk · Q8 development
ICH E6(R3) GCP · ICH Q9(R1) risk · ICH Q10 PQS · ICH Q12 lifecycle
EU MDR · EU IVDR · EU CTR · EU AI Act

Frame 02

Operational.

The internal architecture that lets the organisation deliver consistently — across teams, sites, instruments, suppliers, time. Governance reduces the rework cost of the next deviation, the next audit finding, the next change control.

SOP architecture · training records · competency
Document control · change control · CAPA
Supplier qualification · transfer protocols
Inspection readiness · ongoing surveillance

Frame 03

Strategic.

The frame iFeed treats as primary. Governance is the immune system · the structural antidote to AI vulnerability, methodology drift, and the failure modes that hurt organisations after they scale. Pre-immunisation is cheaper than rescue.

AI quality governance (ISO/IEC 42001 · EU AI Act)
Methodology IP separation · independence-first
Vaccine framing · not insulation, immunisation
Cross-domain consistency · regulated-life-sciences fit

/ 02

The QMS stack.

Eight framework anchors · how they layer

Quality management systems in regulated life sciences are not a single document. They are a layered stack of standards, each applicable in a different way and covering a different surface. The stack reads top-down: from the abstract management-system principles to the concrete trial-conduct or device-design rules.

L01ISO 9001

Quality management systems · requirements. The non-regulated baseline. Plan-Do-Check-Act, customer focus, continual improvement, leadership engagement, evidence-based decisions.

2015 (R)

L02ICH Q10

Pharmaceutical Quality System. Layered on ISO 9001. Adds product lifecycle (development → transfer → commercial → discontinuation), management responsibility, knowledge management.

2008

L03ICH Q9(R1)

Quality Risk Management. The risk methodology that runs across Q8/Q10/Q11/E6/M10. R1 (2023) added subjectivity-management, knowledge-base risk, and digitalisation. A central quality-risk reference for modern audit and inspection thinking.

2005 / R1 2023

L04ICH Q8(R2)

Pharmaceutical Development. QbD framework. Critical Quality Attributes (CQAs), Critical Process Parameters (CPPs), design space. Underpins ICH M10's risk-based partial-validation approach.

2009

L0521 CFR Part 11

Electronic records · electronic signatures. Audit trail, attribution, identification, validation. The data-integrity floor for every regulated computer system. ALCOA+ derives from §11 read across regulators.

1997

L06QMSR · 21 CFR 820

Quality Management System Regulation. FDA's medical-device QMS rule, harmonised with ISO 13485:2016 effective 2 February 2026. The 30-month implementation window forced major device QMS rebuilds 2024-2026.

2026 effective

L07ISO 13485

Medical devices · QMS · regulatory purposes. Notified-body baseline for EU MDR / IVDR. Now harmonised with QMSR 2026. Layered with ISO 14971 (risk management), IEC 62304 (software lifecycle), IEC 62366 (usability).

2016 (R)

L08ICH E6 R3

Good Clinical Practice. The clinical-trial conduct standard. R3 (Jan 2025 finalised) introduced principles-based GCP, sponsor-investigator oversight, decentralised-trial language, risk-based monitoring, electronic systems alignment with §11.

2024

L09ISO/IEC 42001

AI management system. The first international standard for governance of AI. Risk-impact assessment, lifecycle controls, transparency, post-market monitoring. Can serve as an AI management-system anchor when mapped into the existing QMS.

2023

/ 03

Compliance topology.

Four quadrants · pharma · MedTech · combination · AI in regulated

Compliance is shaped by the type of product the organisation makes. The four quadrants below carry distinct standards, distinct inspection regimes, and distinct failure modes. Most regulated organisations live in two or three of them at once · the bridges between them are where audit findings concentrate.

Quadrant 01

Pharmaceutical.

Small molecules, biologics, biosimilars, cell & gene therapy. Regulated as medicines.

Standards · ICH Q8 / Q9 / Q10 / Q11 / Q12 · 21 CFR 210/211 GMP · EU GMP Vol 4
Trial conduct · ICH E6 R3 GCP · ICH E8(R1) general considerations
Governance · ICH Q9(R1) · ICH Q10 · QMSR · ISO/IEC 42001
Bioequivalence · ICH M13A · 21 CFR 320 · EMA CPMP/EWP/QWP/1401/98
Pharmacovigilance · ICH E2A-E2F · EU GVP modules · FDA REMS

Quadrant 02

Medical device / IVD.

Hardware, IVDs, software-as-a-medical-device (SaMD). Regulated as devices.

Standards · ISO 13485:2016 · QMSR (21 CFR 820) effective 2026 · EU MDR · EU IVDR
Risk · ISO 14971 · failure mode & effects analysis · design FMEA
Software · IEC 62304 lifecycle · IEC 62366 usability · FDA pre-cert · PCCP
Clinical evaluation · MDR Article 61 · MDCG 2020-13 · ISO 14155
Post-market · UDI · vigilance · FSCA (field safety corrective actions)

Quadrant 03

Combination products.

Drug-device, biologic-device, drug-eluting devices, prefilled syringes, drug-coated catheters. The growing intersection · QMSR 2026 forced new bridges.

Lead-mode classification · primary mode of action drives lead regulator
Bridge documentation · DHF (820.30) ↔ PQS (Q10) handshake
Bioanalytical bridge · ICH M10 + 21 CFR 820 design controls
Risk overlay · ICH Q9 + ISO 14971 reconciliation
2026 inspection focus · QMSR transition evidence, design controls, CAPA, supplier control, and management-review traceability

Quadrant 04

AI in regulated.

AI/ML inside or alongside any of the above. The newest quadrant · with the least settled regulatory text.

EU AI Act · effective 1 Aug 2024 · high-risk systems classified by use case
FDA AI/ML SaMD · PCCP framework · predetermined change control plan
ISO/IEC 42001 · AI management system standard · lifecycle controls
ISO/IEC 22989 · AI concepts and terminology · foundational
AI governance watch · model lifecycle, validation evidence, change control, and human accountability

/ 04

Data integrity · ALCOA+.

Six original letters · five additions · the integrity floor

ALCOA was the FDA-articulated data-integrity acronym from the early 1990s. ALCOA+ added five more in 2010 to address the failures the original framework couldn't see: missing context, unstable storage, hidden information. Regulated computer systems should be able to demonstrate data-integrity controls to pass inspection. This is the data integrity floor — not the ceiling.

Attributable.

Who created or modified the record. Username, role, date-time stamp. No anonymous edits.

Legible.

Readable through the retention period. No erased, overwritten, or obscured data. Human-and-machine readable.

Contemporaneous.

Recorded at the time the activity occurred. Backdating is a data-integrity violation, not an administrative one.

Original.

First-capture record or true copy. Photocopy of a chromatogram printout is not a true copy (WHO §4.22).

Accurate.

Free from error, complete, reflecting actual measurement. Includes verified transcription if any.

+ C

Complete.

Full record including reanalysis, deviations, change history. Not a curated summary.

+ C

Consistent.

Internal logic preserved across systems. Audit trails reconcile to source records.

+ E

Enduring.

Retained for the regulatory window (often product lifetime + 10 years). Storage media should remain readable.

+ A

Available.

Retrievable within audit-window timeframe. The record should be retrievable within the applicable audit or inspection window.

+ T

Traceable.

Linked to source. Every derived value reconstructable from raw data through documented steps.

/ 05

Audit & inspection readiness.

What auditors often ask for · evidence surfaces

Inspection readiness is not a state, it's a posture. The inspection-readiness surfaces below are iFeed's governance checklist view. They are not presented as official frequency statistics; they identify record types and control points that commonly become audit questions. The cited rule is rarely the underlying problem · the inspector's actual concern is whether the system can be read by another competent reviewer in the inspector's place.

CAPA effectiveness evidence.

Closed CAPAs should show root cause, action evidence, effectiveness criteria, and recurrence review. Weak effectiveness evidence is a practical inspection-readiness risk.

Change-control traceability.

Changes should show classification, risk assessment, impact review, approvals, implementation evidence, and post-implementation check.

Training and competency.

Training files should show role requirements, completion before independent work, delta training for revised procedures, and evidence of demonstrated competence where needed.

Supplier and outsourced control.

Supplier files should show qualification, risk classification, quality agreements, performance review, and clear responsibility boundaries.

Audit-trail review.

For electronic records, teams should be able to show audit trails are enabled, protected, reviewed on a defined cadence, and connected to follow-up actions.

Data integrity.

ALCOA+ controls should be visible in records, metadata, review trails, corrections, and retrieval practices.

Management-review outputs.

Management review should show decisions, resource actions, quality objectives, trend discussion, and follow-up ownership.

AI governance interfaces.

Where AI is used in regulated work, teams should show intended use, human review, monitoring, change control, and ownership boundaries.

/ 06

Risk-based thinking.

ICH Q9(R1) · 5-step lifecycle · FMEA / hazard analysis

ICH Q9(R1) (Step 4 reached 18 January 2023) is a central quality-risk reference for modern audit and inspection thinking. The R1 revision explicitly addressed subjectivity-management, knowledge-base risk, and digitalisation — gaps the 2005 original couldn't anticipate. Every regulated change, deviation, transfer, and validation now passes through the same five-step lifecycle.

Step 01

Initiate.

Define the risk question. Scope, decision context, data needs. Q9(R1) added subjectivity declaration here.

Step 02

Assess.

Identify, analyse, evaluate. Severity · probability · detectability. FMEA, fault-tree, HAZOP, hazard analysis.

Step 03

Control.

Reduce or accept. Mitigation hierarchy: design out > engineered > administrative. Residual risk acceptance criteria.

Step 04

Communicate.

Documented decisions, accountability, transparency. Cross-functional review where impact crosses boundaries.

Step 05

Review.

Periodic re-evaluation. Trigger-based reassessment after change. Continuous-improvement linkage to CAPA system.

/ 07

AI quality governance.

Four standards · the AI-in-regulated stack

AI is already entering regulated life sciences through analytics, clinical operations, diagnostics, pharmacovigilance, documentation, and quality workflows. The regulatory text catching up to this reality is split across four standards, each applicable in a different way. iFeed's AI quality governance practice operates inside this stack.

Horizontal AI standard

ISO/IEC 42001.

Published Dec 2023 · AI management system

An international AI management-system standard. It gives organisations a way to structure AI policy, roles, lifecycle controls, transparency, monitoring, and supplier governance; it is not itself a life-sciences regulation.

Covers AI management systems across sectors and can be mapped to life-sciences QMS structures when used carefully.

Scope · AI lifecycle · organisation-wide

Regulatory law

EU AI Act.

Effective 1 Aug 2024 · phased through 2027

Risk-tiered: prohibited · high-risk · limited-risk · minimal-risk. Some life-sciences AI may be high-risk depending on intended use, product pathway, and jurisdiction — clinical decision support, diagnostic AI, recruitment screening, employment-relevant algorithms. High-risk obligations include conformity assessment, post-market monitoring, fundamental rights impact assessment.

Cross-cuts MDR/IVDR for medical AI. Sponsors face dual classification and dual conformity routes.

Scope · EU market · phased obligations; check official timing

FDA framework

AI/ML SaMD · PCCP.

2021 action plan · 2024 PCCP final guidance

Predetermined Change Control Plan (PCCP) lets locked AI models be updated post-market within a pre-cleared envelope. Algorithm Change Protocol (ACP) defines the modification types, performance metrics, validation strategy. The mechanism by which adaptive AI gets to commercial use without re-clearance per update.

Potential relevance to laboratory and analytical AI should be tracked through future official guidance rather than assumed.

Scope · FDA SaMD · locked & adaptive AI

Foundational

ISO/IEC 22989.

2022 · AI concepts and terminology

The vocabulary standard. Defines what counts as AI, ML, DL, NLP, agent, foundation model, training data, validation data, drift, etc. Inspector and regulator language increasingly anchored here · using consistent AI terminology can reduce interpretation friction.

Often paired with ISO/IEC 23053 (AI/ML framework) and ISO/IEC 38507 (governance of AI).

Scope · vocabulary · cross-domain

/ 08

Common failure modes.

Eight patterns the practice keeps seeing

The patterns below are the recurring failure modes iFeed sees across regulated organisations — across pharma, MedTech, combination products, and AI-in-regulated. Most are not technical defects. They are governance defects that express themselves through technical findings.

Pattern 01

Quality as department, not function.

Quality team owns "quality"; everyone else thinks compliance is somebody else's job. Inspector finds the same finding three times in three different teams. Symptom of leadership-engagement gap (ICH Q10).

Pattern 02

SOPs as artefacts, not living instruments.

SOP suite present and indexed but not read. Training records show signatures, not competency. A recurring surface for cross-cutting system findings. The remediation is hard because it's cultural.

Pattern 03

Audit-trail enabled, not reviewed.

Part 11 audit trail switched on but no scheduled review. Inspector asks for the last review record. There isn't one. Cited as data-integrity violation, not Part 11 technical gap.

Pattern 04

Risk assessment copied across changes.

Same risk assessment template applied to every change without reframing. Q9(R1) §6 explicitly addresses this — subjectivity declaration, knowledge-base reuse with re-evaluation. Templated risk is non-risk.

Pattern 05

CAPA loop open, no effectiveness check.

CAPA actions implemented, closure documented, no effectiveness evaluation. The system fails again 18 months later in the same place. Inspector reads the pattern in the deviation register.

Pattern 06

Method-transfer without bridging.

Method moves from sponsor to CRO or CRO to CRO without a controlled transfer or bridging rationale where the relevant method or process requires it. Late-stage programme failure surface.

Pattern 07

AI without AI quality governance.

AI/ML deployed (peak detection, eligibility screening, image classification) without ISO/IEC 42001 lifecycle controls or PCCP. AI Act or sector-specific obligations may arrive without a prepared evidence trail.

Pattern 08

Methodology absorbed into employer.

Specialist methods can become fragile when they live only in individual memory or informal files. iFeed treats method ownership, documentation, and continuity as part of operational governance.

/ 09

The the methodology lens.

How iFeed's methodology operationalises this stack

The structures above describe governance. iFeed uses them to translate governance into practical evidence surfaces — the method that turns the QMS stack, the compliance topology, ALCOA+, Q9(R1), and ISO/IEC 42001 into a single deployable practice. Three phases: Pre-immunisation (vaccination · before AI deployment), Active immunity (operational governance · during use), Adaptive immunity (post-incident learning · after every event).

/ Methodology

the methodology · the operating system underneath the practice.

The full methodology, the three-phase frame, and the agent-native execution architecture. the methodology is what turns the regulatory and operational frames into deployable governance.

Open methodology →

/ 10

Governance stakeholders.

Who decides · who is liable · who pays

Governance has internal stakeholders (who owns it, who runs it) and external stakeholders (who inspects it, who funds it, who is affected). The map below is who fires which lever when the system is challenged. Most governance failures sit at the interfaces between these stakeholders, not inside any one role.

CEO / Managing Director

Interestcompany viability · regulatory approvability · reputational capital

Leveragebudget allocation · ICH Q10 management responsibility · inspection-day signature

Quality head / VP QA

InterestQMS coherence · audit-readiness · cross-domain consistency

Leveragerelease authority · CAPA system · supplier qualification

Regulatory affairs head

Interestsubmission acceptability · timeline predictability · authority relationships

Leveragestrategy choice · jurisdiction selection · scientific advice meetings

Compliance officer

Interestpolicy adherence · training completeness · documentation discipline

Leverageinternal audit · monitoring · escalation pathways

Site / facility head

Interestoperational continuity · inspection survival · resourcing

LeverageSOP authoring · change-control approval · inspection front-line

R&D / process development

Interestscientific freedom · innovation pace · regulatory headroom

LeverageQbD design space · CQA / CPP definition · early-phase risk decisions

IT / data integrity owner

Interestsystem uptime · validated state · audit-trail completeness

Leveragesystem landscape · integration design · 21 CFR Part 11 / EU Annex 11 compliance

Regulator · inspector

Interestdata integrity · system reproducibility · public health

Leverage483 observations · warning letters · clinical hold · approval / non-approval

Notified body (EU)

Interestconformity assessment quality · ongoing surveillance

Leveragecertificate suspension · re-audit · scope reduction

Patient / end user

Interestsafety · efficacy · access

Leverageindirect (via ethics review · adverse-event reporting · post-market signals)

/ S

Source register.

official anchors · interpretation separated

FDA / QMSR

Governance is the operating system beneath every domain.

The iFeed.governance reference, in headlines.

10 anchored.

2 Feb 2026.

Annex III · 2 Aug 2026.

The AIMS standard.

Governance gates all three.

Nine chapters · open any.

Pillars: cross-stack governance comparison.

Governance substrate.

History & evolution.

Current state: 2026.

Future scope: 2026-2035.

AI quality governance.

Flow · audit-readiness.

People: use cases, players, stakeholders.

Signals: governance writing.

Why governance matters.

Regulatory.

Operational.

Strategic.

The QMS stack.

Compliance topology.

Pharmaceutical.

Medical device / IVD.

Combination products.

AI in regulated.

Data integrity · ALCOA+.

Attributable.

Legible.

Contemporaneous.

Original.

Accurate.

Complete.

Consistent.

Enduring.

Available.

Traceable.

Audit & inspection readiness.

CAPA effectiveness evidence.

Change-control traceability.

Training and competency.

Supplier and outsourced control.

Audit-trail review.

Data integrity.

Management-review outputs.

AI governance interfaces.

Risk-based thinking.

Initiate.

Assess.

Control.

Communicate.

Review.

AI quality governance.

ISO/IEC 42001.

EU AI Act.

AI/ML SaMD · PCCP.

ISO/IEC 22989.

Common failure modes.

Quality as department, not function.

SOPs as artefacts, not living instruments.

Audit-trail enabled, not reviewed.

Risk assessment copied across changes.

CAPA loop open, no effectiveness check.

Method-transfer without bridging.

AI without AI quality governance.

Methodology absorbed into employer.

The the methodology lens.

the methodology · the operating system underneath the practice.

Governance stakeholders.

Source register.

QMSR final rule.

21 CFR Part 820.

Q9(R1) quality risk management.

Q10 pharmaceutical quality system.

Q12 lifecycle management.

21 CFR Part 11.

Data integrity Q&A.

EudraLex Volume 4.

EU AI Act.