chapter 01 · the governance spine
Ten governance pillars · one regulated stack.
Quick-reference grid of the ten frameworks that shape regulated quality systems · then the cross-stack drilldown for each. ISO 9001 · ISO 13485 · ICH Q10 · Q9(R1) · Q12 · 21 CFR Part 820 / QMSR · 21 CFR Part 11 · EU Annex 11 · ISO/IEC 42001 · GAMP 5. The flagship chapter for governance.
/ 00
The governance stack: ten frameworks.
Layered · load-bearing · audit-testedNo regulated organisation runs on a single quality framework. The governance spine can be understood by layering ten standards — some written by industry (ISO), some by harmonised regulators (ICH), some by single-jurisdiction regulators (FDA, EMA), and the newest tier by horizontal AI bodies (ISO/IEC 42001, EU AI Act). Each framework owns a different surface. Each has its own audit grammar. Inspections and notified-body assessments often look across this stack in practice; gaps between layers are where evidence-readiness questions tend to appear.
/ Foundation document
10 frameworks · one comparison · one audit lens.
Pick a framework. Read its scope, its trigger, what it requires, its audit-readiness implications. Designed for the QA director, the validation lead, the regulatory affairs team, the clinical operations sponsor, and the AI/ML governance owner asked to bridge ISO/IEC 42001 onto the existing PQS.
ISO 9001ISO 13485ICH Q10ICH Q9(R1)ICH Q1221 CFR 820 / QMSR21 CFR Part 11EU Annex 11ISO/IEC 42001GAMP 5
/ 00b
The ten governance pillars.
The regulated-life-sciences spineBelow: a quick-reference grid of the ten frameworks · then the comparison drilldown for each. QMSR (★) is where 2026 implementation friction runs deepest; ISO/IEC 42001 (★) is where the AI-governance retrofit work sits.
Quick reference · the ten frameworks.
/ 01
ISO 9001:2015.
Generic QMS foundation. Plan-Do-Check-Act, customer focus, risk-based thinking, leadership, continual improvement. The non-regulated baseline that every other QMS layers on.
/ 02
ISO 13485:2016.
Medical-device QMS. Notified-body baseline for EU MDR / IVDR. Now the foundation FDA's QMSR harmonises against, effective 2 February 2026.
/ 03
ICH Q10 · PQS.
Pharmaceutical Quality System (2008). Adds product lifecycle, management responsibility, knowledge management to the ISO 9001 baseline. The standard a pharma sponsor's PQS is graded against.
/ 04
ICH Q9(R1) 2023.★
Quality Risk Management. R1 (Jan 2023) added subjectivity-management, knowledge-base risk, and digitalisation. A central quality-risk reference for modern audit and inspection thinking.
/ 05
ICH Q12 · lifecycle.
Lifecycle management for established conditions and post-approval changes. Step 4 in November 2019. Implementation uneven across regions through 2026.
/ 06
21 CFR 820 / QMSR.★
FDA medical-device QMS rule. Final rule Feb 2024; effective 2 February 2026. Harmonises with ISO 13485:2016 by reference, retains FDA-specific overlays.
/ 07
21 CFR Part 11.
Electronic records, electronic signatures (1997). Audit trail, attribution, identification, validation. The data-integrity floor — ALCOA+ derives from §11 read across regulators.
/ 08
EU Annex 11.
Computerised systems · EU GMP Volume 4. Companion to Part 11 in EU jurisdictions. AI-related EU GMP expectations under watch through official EudraLex updates.
/ 09
ISO/IEC 42001:2023.★
AI management system (Dec 2023). The first international standard for governance of AI. The AI management-system anchor. Layers onto the existing QMS, not a replacement.
/ 10
GAMP 5 2nd ed.
Validation lifecycle for computerised systems. ISPE GAMP 5 (2nd edition 2022) added critical-thinking, agile, AI/ML appendices. Industry-best-practice anchor for Part 11 / Annex 11 implementation.
Cross-stack comparison · scope, trigger, requirements, audit lens.
/ 01 ISO 9001:2015.Generic QMS · the non-regulated baseline every regulated stack layers on. +
At a glance · what it does, where it stops
SCOPE
Any organisation, any sector. Plan-Do-Check-Act, leadership commitment, customer focus, risk-based thinking, continual improvement. The ISO management-system architecture every other ISO MSS (13485, 27001, 42001) inherits.
LIMIT
Says nothing about regulated product. Cannot stand alone for a medical device, drug, biologic, or trial. Used as the audit-grammar floor; the regulated stack layers above.
Scope2015 (R)
Generic management system
Section 4 (context) · Section 5 (leadership) · Section 6 (planning) · Section 7 (support) · Section 8 (operation) · Section 9 (performance evaluation) · Section 10 (improvement).
Section anchorHigh-Level Structure shared with ISO 13485, 14001, 27001, 42001
When appliesvoluntary
Voluntary · supplier qualification
Voluntary certification. In life sciences, used for supplier-qualification audits and as the QMS frame for non-regulated subsidiaries (consulting, software, hardware components).
TriggerCustomer requirement · tender condition · supplier qualification
Requires2015
Risk-based thinking · documented info
Risk-based thinking embedded across all clauses. Documented information (replacing the older procedure / record split). Management review, internal audit, corrective action.
AcceptanceCertifying body audit, 3-year cycle, surveillance · recertification
Audit lens2015
Process, evidence, improvement
Auditors look for: documented context (4.1, 4.2), risk register, process owners, evidence of management review, internal audit programme, CAPA, KPIs.
Audit anchorClauses 9.1 (monitoring) · 9.2 (audit) · 9.3 (mgmt review)
Inspector's eye
In a regulated context, ISO 9001 alone fails: a notified body or FDA inspector will read it as a starting frame, not a regulated QMS. The ISO 9001 architecture is, however, what makes ISO 13485 and ISO/IEC 42001 cross-readable — one Annex SL, one set of clause numbers, one set of audit habits.
/ 02 ISO 13485:2016.Medical-device QMS · notified-body baseline · QMSR foundation. +
At a glance
SCOPE
Medical devices and IVDs · manufacturers, importers, distributors, service providers. EU MDR / IVDR notified-body baseline. Now FDA's QMSR foundation effective 2 February 2026.
LIMIT
Not for active pharmaceutical ingredients, drug products, or trials. Software-only devices need IEC 62304 alongside. Risk management — ISO 14971 — is referenced but not contained.
Scope2016 (R)
Medical devices · full lifecycle
Design, development, production, installation, servicing · manufacturers and suppliers. References ISO 14971 (risk), IEC 62304 (software), IEC 62366 (usability) · not a drug-product standard.
Sections7 (product realisation) · 8 (measurement)
When applies2016
QMS required in EU; FDA QMSR incorporates ISO 13485 by reference
EU MDR Article 10(9) and IVDR Article 10(8) require a QMS — ISO 13485 is a widely used route for demonstrating QMS structure. From 2 February 2026, FDA QMSR incorporates ISO 13485:2016 by reference.
TriggerDevice manufacturer · distributor · combination product
Requires2016
Design controls, CAPA, risk-based
Design and development controls (7.3), purchasing (7.4), production (7.5), monitoring & measurement (8.2), CAPA (8.5.2/3), management review (5.6). Risk-based approach explicit throughout.
AcceptanceNotified body audit cycle · annual surveillance
Audit lens2016
DHF / DMR / DHR triad
Inspectors trace Design History File → Device Master Record → Device History Record. Look for design-input traceability, V&V, post-market surveillance feedback into design.
Audit anchor7.3 (design) · 7.5 (production) · 8.2.1 (post-market)
Inspector's eye
From 2 February 2026, FDA QMSR incorporates ISO 13485:2016 by reference and adds FDA-specific overlays. Teams with §820-shaped procedures should map clause language, responsibilities, and objective evidence to the QMSR structure rather than treating the change as cosmetic.
/ 03 ICH Q10 · Pharmaceutical Quality System.2008 · the pharma PQS standard layered on ISO 9001. +
At a glance
SCOPE
Pharmaceutical product lifecycle — pharmaceutical development, technology transfer, commercial manufacturing, product discontinuation. Builds on ISO 9001 with lifecycle, knowledge management, management responsibility.
LIMIT
Step 4 in 2008. Implementation depth varies by region: FDA fully embeds Q10 in cGMP inspections; EMA cites it more selectively; PMDA has a domestic Q10 implementation guide. Annex 1 (PQS for development) and Annex 2 (PQS for manufacture) optional.
Scope2008
PQS · lifecycle · commercial
Section 1 (intro), 2 (PQS), 3 (mgmt responsibility), 4 (continual improvement of process performance and product quality), 5 (continual improvement of PQS). Annex 1, 2 optional implementation.
Section anchor§3 mgmt responsibility · §4 continual improvement
When applies2008
Pharma drug product · biologic · ATMP
Drug-product manufacturers across IND, NDA, BLA. ATMPs included by extension. FDA "Pharmaceutical cGMPs for the 21st Century" (2002) seeded Q10. EU GMP Part III references Q10 verbatim.
TriggercGMP inspection · PAI (pre-approval inspection)
Requires2008
Process performance & product quality monitoring
Documented PQS, process-performance and product-quality monitoring system, CAPA, change-management, management review. Knowledge management explicit (§2.6) — the differentiator from ISO 9001.
AcceptanceAnnual product review · APQR / PQR · mgmt review minutes
Audit lens2008
PQS effectiveness · not just presence
Inspectors check whether PQS produces evidence of continual improvement — CAPA closure rates, change-control timeliness, deviation trends — not just whether the documents exist.
Audit anchorPQS effectiveness review · knowledge mgmt evidence
Inspector's eye
Q10 inspections increasingly look for evidence the PQS feeds back into pharmaceutical development — lessons learned crossing from commercial deviations into next-generation product development. A PQS without that feedback loop reads as paper compliance.
/ 04 ICH Q9(R1) · Quality Risk Management.★2005 / R1 January 2023 · a central quality-risk reference for modern audit and inspection thinking. +
At a glance · the R1 step-change
SCOPE
Risk methodology that runs across Q8, Q10, Q11, E6(R3), M10. R1 (January 2023) added subjectivity management, knowledge-base risk, and digitalisation. The risk-language every modern inspector speaks.
LIMIT
Q9 is methodology, not a checklist. Implementation varies wildly — FMEA-heavy Western shops, HACCP-heavy generic shops, FTA in safety-critical software. R1 explicitly accepts the plurality and demands defensible tool selection.
Scope2005 / R1 2023
Risk lifecycle · identify, analyse, evaluate, control, communicate, review
Risk principles, framework, tools (FMEA, FMECA, FTA, HAZOP, HACCP, PHA, risk-ranking and filtering). R1 added Annex II.6 (subjectivity), §5.1 (knowledge), Annex II.7 (formality).
Section anchor§4 process · §5 mgmt · Annex II tools
When appliesalways
Every change, deviation, validation
Risk assessment is the common precondition: change controls, deviation classifications, validation scope, supplier qualification, computerised-system risk, AI/ML risk under Q9(R1) §5.4.
TriggerAny decision that affects product quality · patient safety
Requires2023 R1
Documented, defensible, reviewed
Risk register or equivalent · documented tool selection · subjectivity acknowledged · periodic review · knowledge updated · assessment formality matched to risk significance.
AcceptanceDefensible documentation · updates traceable
Audit lens2023 R1
Subjectivity, knowledge, formality
Auditors now read R1 closely: how is subjectivity in scoring acknowledged? How is the underlying knowledge base maintained? Is the formality of assessment proportionate? Is digital-tool reliance documented?
Audit anchorRisk register currency · R1 §5.1, §5.4, Annex II.6/7
Inspector's eye
Q9(R1) is the central audit reference because it cuts across everything. Where Q9 (2005) was procedural, R1 introduced explicit expectations on subjectivity, knowledge-base maintenance, and digitalisation — the three areas where 2024-2026 inspections find weak or poorly justified assessments can appear.
/ 05 ICH Q12 · lifecycle management.Step 4 November 2019 · established conditions, post-approval changes. +
At a glance
SCOPE
Technical and regulatory considerations for pharmaceutical lifecycle management. Established conditions (ECs), Post-Approval Change Management Protocols (PACMPs), Product Lifecycle Management (PLCM) document.
LIMIT
Implementation uneven. FDA implemented Q12 with broad acceptance of established conditions. EMA narrower (variation framework retained). Health Canada, PMDA, ANVISA each at different adoption depths through 2026.
Scope2019 Step 4
Lifecycle · post-approval
§3 established conditions · §4 PACMPs · §5 PLCM · §6 PQS&CM · §7 relationship between regulatory and PQS · §8 structured approaches for analytical procedures.
Section anchor§3 ECs · §4 PACMP · §5 PLCM
When applies2019+
Marketed pharma products
Drug-product post-approval phase. Q12 is the bridge that promises fewer prior-approval supplements when the PQS is mature and ECs are well-defined. Triggers regulatory submission strategy choices early in development.
TriggerVariation, supplement · change category determination
Requires2019
PLCM document · ECs · PACMPs
Established conditions explicitly identified in submission. PLCM document submitted. PACMPs proposed for predicted changes. Ongoing CMC review built into PQS.
AcceptanceRegional variation framework · EC granularity accepted
Audit lens2019
PQS maturity · change-mgmt evidence
Inspectors look at change-control records, PLCM updates, EC tracking. The Q12 promise — less regulatory friction — is conditional on demonstrable PQS maturity.
Audit anchorChange history · PLCM revisions
Inspector's eye
Q12 is most useful for products with long commercial lifecycles — biologics, complex generics, ATMPs. The cost/benefit only emerges 5-10 years post-approval when accumulated change-management efficiencies show. Sponsors chasing short-cycle products often skip the PLCM document and lose the benefit.
/ 06 21 CFR Part 820 / QMSR.★FDA medical-device QMS · effective 2 February 2026. +
At a glance
SCOPE
FDA medical-device manufacturers. The QMSR final rule (Federal Register 2 February 2024, effective 2 February 2026) replaces the 1996 §820 with a regulation that incorporates ISO 13485:2016 by reference and adds FDA overlays (UDI, eMDR, complaint files, labelling).
LIMIT
Not all of §820 disappears: §820.10 (objective evidence), §820.35 (records), §820.45 (labelling), §820.198 (complaint files) retained or modified. Sponsors with §820-shaped QMSs spent 2024-2026 retrofitting clause numbers, design control language, and risk-management references.
Scope2026 effective
FDA-regulated devices · combination products (device constituent)
All FDA-regulated medical devices · in vitro diagnostics · combination-product device constituent. Excludes drug constituent of combination products (drug stays under §211).
Section anchorQMSR §820.10 · §820.35 · ISO 13485:2016 by reference
When appliesFeb 2 2026
Effective FDA device QMS requirement
QMSR became effective on 2 February 2026. Existing device manufacturers should be able to explain their transition approach, clause mapping, and objective evidence under the current FDA regulation.
TriggerAny FDA device inspection from 2 Feb 2026 onward
Requires2024 final / 2026 eff
ISO 13485:2016 + FDA overlays
Full ISO 13485:2016 compliance · UDI per 21 CFR 830 · eMDR §803 · complaint files §820.198 (modified) · labelling §820.45 · objective-evidence requirement §820.10 · risk management aligned with ISO 14971.
AcceptanceFDA inspection (BIMO / device) · ISO 13485 certificate may support, not replace, FDA evidence needs
Audit lens2026
Pre-2026 QMSs read against post-2026 grammar
Internal audits should probe whether the §820-era language has been retired, whether risk management cross-references ISO 14971, whether design controls map to ISO 13485 §7.3, whether complaint-file definition reflects QMSR §820.198 update.
Audit anchorClause-number map · §7.3 design · ISO 14971 ref
Inspector's eye
The QMSR transition is the largest device-QMS change since 1996. A useful internal-audit question is whether QMSR transition work stopped at clause references or also checked design controls, risk management, complaint files, labeling, records, and objective evidence under the updated rule.
/ 07 21 CFR Part 11.Electronic records · electronic signatures · the data-integrity floor. +
At a glance
SCOPE
Electronic records and electronic signatures in any FDA-regulated submission, predicate-rule record, or computerised system used in regulated operations. Defines audit-trail requirements, signature manifestations, validation, system access, training.
LIMIT
FDA's 2003 Scope and Application guidance narrowed enforcement focus; the underlying rule (1997) was never amended. ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate + Complete, Consistent, Enduring, Available) is a practical data-integrity lens often used across regulated operations.
Scope1997
Electronic records & signatures
§11.10 controls for closed systems · §11.30 open systems · §11.50/70 signature manifestations · §11.100 general requirements for electronic signatures · §11.200 components/controls · §11.300 ID code controls.
Section anchor§11.10(e) audit trail · §11.10(a) validation
When applies1997+
Any regulated computerised system
LIMS, ELN, eTMF, EDC, CDS, MES, eQMS, BI tools, AI/ML inference systems, anything that creates / modifies / stores predicate-rule records electronically.
TriggerPredicate rule reliance · regulatory submission
Requires1997
Audit trail, attribution, validation
System validation, audit trail with secure time-stamping, attribution to individuals (not shared accounts), authority checks, device checks for terminals, training, written policy on signature equivalence to handwritten signatures.
AcceptanceValidated system · audit-trail review evidence
Audit lens1997 / 2003 SaA
ALCOA+ as the operational test
Inspectors read Part 11 through ALCOA+. Routine audit-trail review is a common operational weak point: the control may exist in procedure, while review evidence is thin.
Audit anchorALCOA+ · periodic audit-trail review SOP
Inspector's eye
Part 11 and data-integrity findings often focus on practical evidence: validation, access controls, attribution, audit trails, and whether reviews occur. For AI/ML inference systems, the next evidence question is whether system activity and model-change history remain reviewable by accountable humans.
/ 08 EU Annex 11.Computerised systems · EU GMP Volume 4 · AI-related GMP expectations under official-source watch. +
At a glance
SCOPE
EU GMP Annex 11 governs computerised systems used in regulated operations — LIMS, MES, ERP, CDS, EDC, eQMS — in EU jurisdictions. Companion to Part 11 in cross-Atlantic implementations. Most CSV programmes are designed to satisfy both at once.
LIMIT
Annex 11 remains the key EU GMP computerised-systems reference. Any AI-specific EU GMP updates should be confirmed through official EudraLex publications before being treated as final obligations.
Scope2011 (current)
Computerised systems · EU GMP
17 clauses: risk mgmt, personnel, suppliers, validation, data, accuracy checks, data storage, printouts, audit trails, change & configuration mgmt, periodic evaluation, security, incident mgmt, electronic signatures, batch release, business continuity, archiving.
Section anchor§4 validation · §9 audit trails · §11 periodic eval
When applies2011
EU GMP-bound operations
Any computerised system used in EU GMP operations: development, manufacture, QC, release, distribution. Inspectors apply Annex 11 to systems located outside the EU when those systems hold EU-relevant data.
TriggerEU MIA / IMP / cGMP · any EU-relevant electronic record
Requires2011
Lifecycle approach · risk-based
Validated systems with documented lifecycle (URS, FS, DS, IQ, OQ, PQ), supplier audit, accuracy checks for manual entry, audit trails reviewed routinely, change & configuration management, periodic evaluation, business continuity / disaster recovery.
AcceptanceValidated · periodically re-evaluated · incident records
Audit lens2011 + 2026 revision
CSV maturity · audit trails · AI readiness
Auditors check validation lifecycle deliverables, supplier qualification, audit-trail review records, change-control linkage. AI/ML lifecycle controls should be tracked as a watch area through official EU GMP updates.
Audit anchorCSV deliverable map · periodic evaluation §11
Inspector's eye
Annex 11 inspection discussions commonly return to validation lifecycle, supplier boundaries, audit trails, periodic evaluation, and business continuity. AI/ML expectations should be source-checked through official EU GMP publications before being presented as final.
/ 09 ISO/IEC 42001:2023.★December 2023 · an international AI management-system standard. +
At a glance · the AI-MS layer
SCOPE
An organisation-level AI Management System that can be mapped to existing management-system practice. Published December 2023. Annex SL high-level structure — the same clause architecture as ISO 9001, 13485, 27001, 14001 — so it layers cleanly on existing QMSs without replacement.
LIMIT
42001 is management-system grammar, not a technical standard. It calls out impact assessments, lifecycle controls, transparency, and post-market monitoring — but the technical anchors live in ISO/IEC 23053, 23894, 5469 (medical AI), and the EU AI Act. Voluntary; certification market still maturing.
ScopeDec 2023
AI management system · horizontal
Annex A controls (38 controls across 9 categories): policies, internal organisation, AI system lifecycle, data, information for users, third-party relationships, system / org context, leadership, post-market monitoring.
Section anchorAnnex A controls · Annex B implementation guidance
When applies2024+
Voluntary · supplier · AI Act readiness
Voluntary standard; being explored as a supplier-qualification and governance-evidence reference. Sponsors deploying AI in regulated operations (model-driven QC, automated analytical review, AI-augmented monitoring) use 42001 to evidence governance maturity to regulators and customers.
TriggerAI deployment in regulated operations · EU AI Act preparation
Requires2023
AI risk-impact · lifecycle · transparency
Documented AI policy, AI risk-impact assessments, lifecycle controls (data, design, V&V, deployment, monitoring, retraining, decommissioning), transparency mechanisms, third-party / supplier governance, post-market monitoring.
AcceptanceCertifying body audit cycle · 3-year recert
Audit lens2023
Layer on existing QMS · integrate
Auditors look for integration with the existing PQS / 13485 QMS — not a parallel system. AI risk register feeding Q9(R1) risk register; AI change-control crossing into the existing change-control SOP; AI post-market data feeding management review.
Audit anchorIntegration evidence · shared mgmt review minutes
Inspector's eye
ISO/IEC 42001 is strongest when it is mapped into existing QMS machinery instead of treated as a parallel file. For regulated life-sciences teams, the integration test is whether AI risks, changes, monitoring signals, and management-review inputs connect to the existing quality system.
/ 10 GAMP 5 2nd edition.Validation lifecycle for computerised systems · ISPE 2nd ed. 2022. +
At a glance
SCOPE
Industry best-practice anchor for Computerised System Validation. Risk-based approach to validating GxP computerised systems across the full lifecycle — concept, project, operation, retirement. Used to satisfy Part 11 / Annex 11 in operational practice.
LIMIT
Not a regulation. ISPE-published industry guide. The 2nd edition (2022) added critical-thinking, agile / iterative-development, AI/ML, and software categorisation updates. Widely used as an implementation reference, but not legally binding by itself.
Scope2022 (2nd ed)
CSV lifecycle · risk-based · AI/ML appendices
V-model validation, software categorisation (1 infrastructure, 3 non-configured COTS, 4 configured, 5 custom), supplier assessment, risk-based testing, agile-development guidance, AI/ML lifecycle appendix.
Section anchorCat 4/5 · D8 AI/ML · D9 agile
When appliesalways
Default CSV implementation playbook
Often used as a CSV implementation playbook — LIMS, MES, ERP, EDC, eTMF, eQMS, CDS, MES, BI, AI inference. Cited in supplier qualification, used in audit narratives, often used in audit narratives and supplier qualification discussions.
TriggerCSV programme · supplier qual · system change
Requires2022
Lifecycle deliverables · risk-tiered testing
User Requirements Specification, Functional / Design Spec, configuration spec, IQ/OQ/PQ, requirements traceability matrix, risk-based test scope, supplier assessment, change & release management, periodic review.
AcceptanceValidation summary report · traceability matrix
Audit lens2022
Critical thinking · not paper-tick
2nd-edition's critical-thinking emphasis explicitly pushes against the "test everything" tendency. Auditors look for proportionate testing tied to documented risk, with the riskiest functions tested most.
Audit anchorRTM · test rationale · AI appendix evidence
Inspector's eye
GAMP 5 2nd edition's AI/ML appendix is the bridge text from CSV practice to ISO/IEC 42001 implementation. Sponsors building 42001 readiness should align AI lifecycle work to GAMP 5 D8 — auditors fluent in CSV will read 42001 evidence through GAMP 5 grammar.
/ S
Source register.
official anchors · interpretation separatedFDA / QMSR
QMSR final rule.
Federal Register final rule amending the Quality System Regulation; effective date and FDA-specific overlays should be read from the rule text.
eCFR
21 CFR Part 820.
Current legal text for FDA device quality-system requirements; use this as the live clause anchor for QMSR references.
ICH
Q9(R1) quality risk management.
Step 4 guideline for quality-risk-management concepts, subjectivity, formality, and knowledge management.
ICH
Q10 pharmaceutical quality system.
Pharmaceutical quality-system reference for management responsibility, lifecycle quality, CAPA, and continual improvement.
ICH
Q12 lifecycle management.
Step 4 guideline for established conditions, post-approval change management, and product lifecycle management.
eCFR
21 CFR Part 11.
Electronic records and electronic signatures rule; use with predicate-rule context and FDA scope guidance.
FDA
Data integrity Q&A.
FDA questions-and-answers guidance on data integrity and CGMP; useful for ALCOA+ and audit-trail interpretation.
European Commission
EudraLex Volume 4.
Official EU GMP page for Annex 11 and related GMP annexes; AI-specific GMP claims should be checked here before publication.
EUR-Lex
EU AI Act.
Regulation (EU) 2024/1689 official text; used for AI Act timing, high-risk system references, and governance boundaries.
ISO
ISO/IEC 42001.
AI management-system standard landing page. Full standard text is paid; public iFeed content should not quote unavailable clauses.
FDA
Computer Software Assurance.
FDA guidance PDF for production and quality-system software; useful for CSA and CSV evidence-readiness discussion.
ISPE
GAMP 5, second edition.
Industry guidance landing page. Treat as implementation guidance, not a regulation; full guide access is controlled by ISPE.