Governance substrate: lived day-to-day.
The QA function structure · training and competency · change-control workflow · deviation handling · CAPA lifecycle · document control · management review · internal audit. The operational machinery underneath every QMS clause.
QA function structure.
Corporate · site · the working rolesThe QA function in a regulated organisation is not a single role. It is a layered structure with a corporate spine, site-specific arms, and named technical specialisms. The shape of this structure is what auditors read when they want to know whether the QMS is independent, resourced, and authoritative.
Corporate QA.
QA director / VP-Quality reporting to the CEO or the board. Owns the QMS architecture across sites, the corporate SOP set, supplier-quality oversight, and the management-review framework. Independence from manufacturing and commercial is a 21 CFR 211.22 expectation and an ISO 13485 §5.5.2 expectation.
Site QA.
Site-level QA managers and QPs (where applicable). Batch release authority, deviation owner, change-control gatekeeper, internal-audit lead at site level. Reports dotted-line to corporate QA, solid-line to site general manager — the structural tension regulators expect to see managed.
QC analysts.
Analytical-laboratory headcount under QC management (separate from operational analytical labs). Routine release testing, stability testing, OOS handling per ICH Q9(R1) and the 1993 Barr decision implementation guide.
Validation specialists.
Process validation, cleaning validation, equipment qualification, computer-system validation. Often a separate cost-centre under QA but matrixed to manufacturing and IT. The CSV team owns the GAMP 5 deliverable set; the process validation team owns the ICH Q8/Q11 deliverable set.
Regulatory affairs.
Sometimes inside QA, sometimes a peer function. Owns submission strategy, agency interaction, post-marketing commitments, label changes. Audit findings cluster on the QA / RA seam — CAPAs that should have triggered field-safety actions, post-approval changes that should have triggered variations.
AI / digital quality.
The newest role in the structure. Owns ISO/IEC 42001 implementation, AI risk-impact assessments, and the bridge between traditional CSV and the AI/ML lifecycle. Reports to corporate QA in mature shops, to IT in less-mature ones — structural placement is itself a maturity signal.
Training & competency.
From SOP-read to demonstrated practiceTraining records are a recurring inspection-readiness surface. The audit question has moved beyond whether an operator read an SOP toward whether role-specific competence can be demonstrated in practice. A modern training programme is built around competency matrices, role-mapped curricula, and demonstrated proficiency — not signed acknowledgements.
Role profiles.
Each regulated role mapped to required competencies: GMP fundamentals, ALCOA+ data integrity, deviation reporting, role-specific SOPs, role-specific platform training. Profile owned by HR + QA jointly.
Competency matrices.
Per-individual matrix tracking: required curriculum, attended training, demonstrated practice, periodic re-qualification. The audit-readable evidence that the role profile has been operationalised for each named individual.
Initial onboarding.
21 CFR 211.25 / ISO 13485 §6.2 / EU GMP Chapter 2: every employee in regulated activity receives initial GMP training, role training, data-integrity training before independent work. Time-bound: the file should show the date training was completed prior to first independent batch / sample / record.
Refresher cadence.
Annual GMP refresher, annual data-integrity refresher, role-specific refresher on SOP revision. Frequency keyed to risk: high-risk roles (release-decision, sterile fill, GxP IT admin) re-qualify annually; lower-risk roles 24-36 months.
On-the-job qualification.
Trainee shadow + supervised practice + assessed independent execution. Pre-2018 inspections accepted SOP-read as evidence; modern inspections expect an OJT log with supervisor attestation.
SOP-revision training.
Every SOP revision triggers a delta training package — the change is summarised, affected roles identified, training records updated before the revision goes effective. Effective date of an SOP cannot precede training-completion date.
Change-control workflow.
7 stages · risk-graded · cross-functionalChange control is the QMS's central nervous system. Every regulated change — equipment, process, supplier, document, software, raw material, analytical method, facility — routes through the same workflow. Different organisations choose different software (TrackWise, Veeva Vault, MasterControl); the workflow underneath is convergent because ICH Q10 §3.2.3 and ISO 13485 §7.3.9 are convergent.
Initiation & classification.
Change request raised by initiator. QA categorises: minor / moderate / major (or like-for-like / similar / new). Classification drives downstream requirements — risk assessment depth, regulatory notification, validation extent.
Risk assessment.
ICH Q9(R1) tool selection (FMEA, FMECA, risk-ranking) · assessment of patient-safety, product-quality, data-integrity, regulatory-compliance impact. Document the tool, the participants, the rationale, the outcome.
Cross-functional impact analysis.
Routes to QA, manufacturing, RA, validation, R&D, supply chain, IT, EHS. Each function declares impact + required actions. Regulatory impact assessment determines whether prior-approval supplement / variation / notification is needed.
Action plan.
Required actions consolidated: validation activities, document revisions, training, equipment qualification, supplier requalification, regulatory submissions, post-implementation monitoring. Each action with owner, due date, evidence requirement.
Approval.
Risk-graded approval signatures. Major changes normally need quality approval, and regulatory-affairs review should be considered where submissions or commitments may be affected. Site QM approval for site-specific changes.
Implementation.
Actions executed in the planned sequence. Evidence collected per action. No deviation from approved plan without re-routing. Implementation date recorded; effectiveness check window starts.
Effectiveness check & closure.
30/60/90-day post-implementation effectiveness check — did the change achieve the intended outcome with no unintended consequences? Closure approval by change-control board / QA. Lessons captured back into knowledge management per ICH Q10 §2.6.
Deviation handling.
From event to root cause to closureA deviation is any departure from approved procedure, specification, or expected behaviour. The deviation system is where data-integrity, training, equipment, and process issues surface earliest. EU GMP Chapter 1 §1.4(xiv), 21 CFR 211.192, and ISO 13485 §8.3 each describe similar shape: identify, investigate, classify, root-cause, action, close, trend.
Detection & capture.
Operator-flagged or system-flagged. 24-hour reporting target. Initial classification provisional pending investigation.
Investigation.
Bracketed scope, sample retain, equipment hold, batch hold if necessary. Cross-functional investigation team for major events. Documented with timeline, evidence, witnesses.
Root-cause analysis.
Defensible RCA tool (5-Why, fishbone, fault-tree). The 1993 Barr decision case-law standard for OOS investigations applies. Hypothesis-driven; evidence-supported.
Risk & impact.
Patient safety, product quality, regulatory disclosure, data integrity. ICH Q9(R1) framework. Defines whether CAPA, field action, or notification is needed.
Closure & trending.
Closure approval by QA. Deviation feeds into trend register reviewed at management review. Recurring root causes escalate to systemic CAPA.
CAPA lifecycle.
Corrective · preventive · effectiveness-checkedCAPA remains one of the most visible inspection-readiness areas in medical-device and GMP quality systems. The reason is consistent: organisations open CAPAs but cannot demonstrate effectiveness. ISO 13485 §8.5.2 (corrective) and §8.5.3 (preventive) require a documented procedure, defined investigation, action implementation, effectiveness verification, change-control linkage. QMSR retains the §820.100 CAPA expectation in its post-Feb-2026 form.
CAPA trigger.
Sources: deviation root cause, complaint trend, internal audit finding, external audit observation, supplier non-conformance, post-market surveillance signal, recall, regulatory inspection finding.
Problem statement.
Quantified, scoped, time-bounded. Avoids the "operator error" trap — investigates the system that allowed operator error to reach product.
Containment / correction.
Immediate actions to prevent recurrence pending root-cause work. Quarantine, batch hold, field communication where applicable.
Root cause.
Same RCA discipline as deviation handling, with added scope question: is this an isolated event or a systemic gap? Systemic CAPAs reach across multiple deviations or complaints.
Corrective actions.
Address the root cause to prevent recurrence. Concrete, owner-assigned, due-dated. Cross-referenced to change-control where the action requires a controlled change.
Preventive actions.
Address related conditions to prevent occurrence elsewhere. Cross-site, cross-product, cross-process consideration. The 13485 §8.5.3 preventive arm is what most CAPA programmes underdeliver on.
Effectiveness verification.
Time-bound effectiveness check with measurable success criteria. A common inspection gap is CAPA closure without demonstrable effectiveness data. Post-implementation metrics tracked for 6-12 months.
Document control.
SOP hierarchy · work instructions · formsThe document hierarchy is the spine of operational governance. Policy at the top · procedure (SOP) · work instruction · form / record. ISO 13485 §4.2 and 21 CFR 820.40 (carried into QMSR) require document approval, identification of revision, distribution control, current-version availability at point of use, obsolete-version control, retention.
SOP architecture.
8 functional buckets · the working categorisationA regulated SOP set typically runs 100-400 procedures depending on scope. The functional categorisation below is the working shape recognised by FDA, EMA, MHRA, and PIC/S inspectors, and the shape ISO 13485 §4.2.4 implicitly assumes for the documented information requirement.
Quality system.
QMS architecture, document control, training, internal audit, management review, deviation, CAPA, change control, complaint handling.
Manufacturing · operations.
Production, packaging, labelling, batch record review, cleaning, in-process control, line clearance, environmental monitoring.
QC laboratory.
Sampling, testing, OOS handling, stability, reference standard management, equipment qualification and metrology control, analytical method lifecycle.
Validation.
Process validation, cleaning validation, equipment qualification (DQ/IQ/OQ/PQ), CSV, analytical method validation, transport validation.
Supplier · materials.
Supplier qualification & audit, raw material specifications, incoming inspection, vendor management, supply continuity.
Regulatory.
Submission preparation, agency interaction, post-marketing commitments, recall procedures, field-safety actions, label control.
Clinical & PV.
GCP procedures, ICH E6(R3) site management, IMP handling, pharmacovigilance, ICSR processing, signal detection, PSUR/PBRER.
Digital & AI.
CSV per GAMP 5, Part 11 / Annex 11 implementation, ISO/IEC 42001 AI lifecycle, data integrity, audit-trail review, system access.
Management review.
Cadence · inputs · outputs · the executive QMS feedback loopManagement review is required by ISO 9001 §9.3, ISO 13485 §5.6, ICH Q10 §3.2.5, ISO/IEC 42001 §9.3 — the same management-system clause inherited across Annex SL. It is the executive feedback loop that closes the QMS. A management review with quality KPIs but no decisions is a frequent inspection finding.
Cadence.
Quarterly site-level review, semi-annual or annual corporate review. Required by procedure; chaired by senior management; minutes signed and retained.
Required inputs.
Audit results, regulatory inspection outcomes, customer complaints, deviation/CAPA trending, change-control performance, supplier performance, post-market surveillance, training compliance, KPI performance against quality objectives.
Required outputs.
Decisions on resource adequacy, QMS effectiveness, improvement opportunities, changes to quality objectives, escalations to board. Decisions should be traceable to inputs — meeting minutes are an audit artefact.
Quality objectives.
SMART quality objectives reviewed each cycle. KPI dashboard: deviation rate, CAPA closure timeliness, complaint rate, audit-finding closure rate, training compliance, on-time release.
AI / digital integration.
Post-2024, AI-related KPIs feed the same management review — AI risk register status, model-monitoring metrics, retraining cadence. ISO/IEC 42001 §9.3 expects the AI MS feedback loop to integrate with the existing QMS, not run separately.
The decision trail.
The structural test inspectors apply: can decisions made in management review be traced through change controls, CAPAs, and resource allocations? A review with no downstream evidence reads as performative.
Internal audit programme.
Risk-based plan · competent auditors · closure disciplineThe internal audit programme is the QMS's self-test. ISO 19011 (audit guidelines), ISO 13485 §8.2.4, 21 CFR 820.22 (carried into QMSR §820.10 by reference), EU GMP Chapter 9, and ICH Q10 §3.2.4 all require periodic internal audits with independent auditors, risk-based plan, documented findings, corrective actions, follow-up.
Annual audit plan.
Risk-based across functions, sites, suppliers. Approved by management. Plan review in management review.
Auditor independence.
Auditors not auditing their own area. Trained per ISO 19011. Lead auditors hold defensible qualifications — lead auditor course, demonstrated audit hours.
Audit execution.
Opening meeting, sample-based evidence collection, daily wash-up, closing meeting. Findings categorised: critical, major, minor, observation. Documented with evidence reference.
CAPA linkage.
Major / critical findings raise CAPAs. Minors and observations tracked in audit-finding register. Each finding owner-assigned, due-dated.
Closure & verification.
Findings closed only when evidence shows the underlying gap is resolved. Effectiveness check at next audit cycle. Recurring findings flagged in management review.
Source register.
official anchors · interpretation separatedQMSR final rule.
Federal Register final rule amending the Quality System Regulation; effective date and FDA-specific overlays should be read from the rule text.
21 CFR Part 820.
Current legal text for FDA device quality-system requirements; use this as the live clause anchor for QMSR references.
Q9(R1) quality risk management.
Step 4 guideline for quality-risk-management concepts, subjectivity, formality, and knowledge management.
Q10 pharmaceutical quality system.
Pharmaceutical quality-system reference for management responsibility, lifecycle quality, CAPA, and continual improvement.
Q12 lifecycle management.
Step 4 guideline for established conditions, post-approval change management, and product lifecycle management.
21 CFR Part 11.
Electronic records and electronic signatures rule; use with predicate-rule context and FDA scope guidance.
Data integrity Q&A.
FDA questions-and-answers guidance on data integrity and CGMP; useful for ALCOA+ and audit-trail interpretation.
EudraLex Volume 4.
Official EU GMP page for Annex 11 and related GMP annexes; AI-specific GMP claims should be checked here before publication.
EU AI Act.
Regulation (EU) 2024/1689 official text; used for AI Act timing, high-risk system references, and governance boundaries.
ISO/IEC 42001.
AI management-system standard landing page. Full standard text is paid; public iFeed content should not quote unavailable clauses.
Computer Software Assurance.
FDA guidance PDF for production and quality-system software; useful for CSA and CSV evidence-readiness discussion.
GAMP 5, second edition.
Industry guidance landing page. Treat as implementation guidance, not a regulation; full guide access is controlled by ISPE.