chapter 01 · the governance spine
Ten governance pillars · one regulated stack.
Quick-reference grid of the ten frameworks that shape regulated quality systems · then the cross-stack drilldown for each. ISO 9001 · ISO 13485 · ICH Q10 · Q9(R1) · Q12 · 21 CFR Part 820 / QMSR · 21 CFR Part 11 · EU Annex 11 · ISO/IEC 42001 · GAMP 5. The flagship chapter for governance.
/ 00
The governance stack: ten frameworks.
Layered · load-bearing · audit-testedNo regulated organisation runs on a single quality framework. The governance spine is built by layering ten standards — some written by industry (ISO), some by harmonised regulators (ICH), some by single-jurisdiction regulators (FDA, EMA), and the newest tier by horizontal AI bodies (ISO/IEC 42001, EU AI Act). Each framework owns a different surface. Each has its own audit grammar. Inspections and notified-body assessments read this stack as a single document — gaps between layers are where 483s and major non-conformances cluster.
/ Foundation document
10 frameworks · one comparison · one audit lens.
Pick a framework. Read its scope, its trigger, what it requires, its audit-readiness implications. Designed for the QA director, the validation lead, the regulatory affairs team, the clinical operations sponsor, and the AI/ML governance owner asked to bridge ISO/IEC 42001 onto the existing PQS.
ISO 9001ISO 13485ICH Q10ICH Q9(R1)ICH Q1221 CFR 820 / QMSR21 CFR Part 11EU Annex 11ISO/IEC 42001GAMP 5
/ 00b
The ten governance pillars.
The regulated-life-sciences spineBelow: a quick-reference grid of the ten frameworks · then the comparison drilldown for each. QMSR (★) is where 2026 implementation friction runs deepest; ISO/IEC 42001 (★) is where the AI-governance retrofit work sits.
Quick reference · the ten frameworks.
/ 01
ISO 9001:2015.
Generic QMS foundation. Plan-Do-Check-Act, customer focus, risk-based thinking, leadership, continual improvement. The non-regulated baseline that every other QMS layers on.
/ 02
ISO 13485:2016.
Medical-device QMS. Notified-body baseline for EU MDR / IVDR. Now the foundation FDA's QMSR harmonises against, effective 2 February 2026.
/ 03
ICH Q10 · PQS.
Pharmaceutical Quality System (2008). Adds product lifecycle, management responsibility, knowledge management to the ISO 9001 baseline. The standard a pharma sponsor's PQS is graded against.
/ 04
ICH Q9(R1) 2023.★
Quality Risk Management. R1 (Jan 2023) added subjectivity-management, knowledge-base risk, and digitalisation. The most-cited ICH document in 2024-2026 inspections.
/ 05
ICH Q12 · lifecycle.
Lifecycle management for established conditions and post-approval changes. Step 4 in November 2019. Implementation uneven across regions through 2026.
/ 06
21 CFR 820 / QMSR.★
FDA medical-device QMS rule. Final rule Feb 2024; effective 2 February 2026. Harmonises with ISO 13485:2016 by reference, retains FDA-specific overlays.
/ 07
21 CFR Part 11.
Electronic records, electronic signatures (1997). Audit trail, attribution, identification, validation. The data-integrity floor — ALCOA+ derives from §11 read across regulators.
/ 08
EU Annex 11.
Computerised systems · EU GMP Volume 4. Companion to Part 11 in EU jurisdictions. Annex 22 (AI-specific) currently in finalisation alongside the Annex 11 revision.
/ 09
ISO/IEC 42001:2023.★
AI management system (Dec 2023). The first international standard for governance of AI. The AI-equivalent of ISO 9001. Layers onto the existing QMS, not a replacement.
/ 10
GAMP 5 2nd ed.
Validation lifecycle for computerised systems. ISPE GAMP 5 (2nd edition 2022) added critical-thinking, agile, AI/ML appendices. Industry-best-practice anchor for Part 11 / Annex 11 implementation.
Cross-stack comparison · scope, trigger, requirements, audit lens.
/ 01 ISO 9001:2015.Generic QMS · the non-regulated baseline every regulated stack layers on. +
At a glance · what it does, where it stops
SCOPE
Any organisation, any sector. Plan-Do-Check-Act, leadership commitment, customer focus, risk-based thinking, continual improvement. The ISO management-system architecture every other ISO MSS (13485, 27001, 42001) inherits.
LIMIT
Says nothing about regulated product. Cannot stand alone for a medical device, drug, biologic, or trial. Used as the audit-grammar floor; the regulated stack layers above.
Scope2015 (R)
Generic management system
Section 4 (context) · Section 5 (leadership) · Section 6 (planning) · Section 7 (support) · Section 8 (operation) · Section 9 (performance evaluation) · Section 10 (improvement).
Section anchorHigh-Level Structure shared with ISO 13485, 14001, 27001, 42001
When appliesvoluntary
Voluntary · supplier qualification
Voluntary certification. In life sciences, used for supplier-qualification audits and as the QMS frame for non-regulated subsidiaries (consulting, software, hardware components).
TriggerCustomer requirement · tender condition · supplier qualification
Requires2015
Risk-based thinking · documented info
Risk-based thinking embedded across all clauses. Documented information (replacing the older procedure / record split). Management review, internal audit, corrective action.
AcceptanceCertifying body audit, 3-year cycle, surveillance · recertification
Audit lens2015
Process, evidence, improvement
Auditors look for: documented context (4.1, 4.2), risk register, process owners, evidence of management review, internal audit programme, CAPA, KPIs.
Audit anchorClauses 9.1 (monitoring) · 9.2 (audit) · 9.3 (mgmt review)
Inspector's eye
In a regulated context, ISO 9001 alone fails: a notified body or FDA inspector will read it as a starting frame, not a regulated QMS. The ISO 9001 architecture is, however, what makes ISO 13485 and ISO/IEC 42001 cross-readable — one Annex SL, one set of clause numbers, one set of audit habits.
/ 02 ISO 13485:2016.Medical-device QMS · notified-body baseline · QMSR foundation. +
At a glance
SCOPE
Medical devices and IVDs · manufacturers, importers, distributors, service providers. EU MDR / IVDR notified-body baseline. Now FDA's QMSR foundation effective 2 February 2026.
LIMIT
Not for active pharmaceutical ingredients, drug products, or trials. Software-only devices need IEC 62304 alongside. Risk management — ISO 14971 — is referenced but not contained.
Scope2016 (R)
Medical devices · full lifecycle
Design, development, production, installation, servicing · manufacturers and suppliers. References ISO 14971 (risk), IEC 62304 (software), IEC 62366 (usability) · not a drug-product standard.
Sections7 (product realisation) · 8 (measurement)
When applies2016
Mandatory in EU · mandatory-by-reference in US Feb 2026
EU MDR Article 10(9) and IVDR Article 10(8) require a QMS — ISO 13485 is the de facto compliance route. From 2 February 2026, FDA QMSR incorporates ISO 13485:2016 by reference.
TriggerDevice manufacturer · distributor · combination product
Requires2016
Design controls, CAPA, risk-based
Design and development controls (7.3), purchasing (7.4), production (7.5), monitoring & measurement (8.2), CAPA (8.5.2/3), management review (5.6). Risk-based approach explicit throughout.
AcceptanceNotified body audit cycle · annual surveillance
Audit lens2016
DHF / DMR / DHR triad
Inspectors trace Design History File → Device Master Record → Device History Record. Look for design-input traceability, V&V, post-market surveillance feedback into design.
Audit anchor7.3 (design) · 7.5 (production) · 8.2.1 (post-market)
Inspector's eye
From 2 February 2026, FDA QMSR replaces 21 CFR 820 with a regulation that incorporates ISO 13485:2016 by reference and adds FDA-specific overlays (UDI, eMDR, complaint files). Sponsors who built §820-shaped QMSs must rebuild around the ISO 13485 clause numbers — this is the largest device-QMS retrofit project of the decade.
/ 03 ICH Q10 · Pharmaceutical Quality System.2008 · the pharma PQS standard layered on ISO 9001. +
At a glance
SCOPE
Pharmaceutical product lifecycle — pharmaceutical development, technology transfer, commercial manufacturing, product discontinuation. Builds on ISO 9001 with lifecycle, knowledge management, management responsibility.
LIMIT
Step 4 in 2008. Implementation depth varies by region: FDA fully embeds Q10 in cGMP inspections; EMA cites it more selectively; PMDA has a domestic Q10 implementation guide. Annex 1 (PQS for development) and Annex 2 (PQS for manufacture) optional.
Scope2008
PQS · lifecycle · commercial
Section 1 (intro), 2 (PQS), 3 (mgmt responsibility), 4 (continual improvement of process performance and product quality), 5 (continual improvement of PQS). Annex 1, 2 optional implementation.
Section anchor§3 mgmt responsibility · §4 continual improvement
When applies2008
Pharma drug product · biologic · ATMP
Drug-product manufacturers across IND, NDA, BLA. ATMPs included by extension. FDA "Pharmaceutical cGMPs for the 21st Century" (2002) seeded Q10. EU GMP Part III references Q10 verbatim.
TriggercGMP inspection · PAI (pre-approval inspection)
Requires2008
Process performance & product quality monitoring
Documented PQS, process-performance and product-quality monitoring system, CAPA, change-management, management review. Knowledge management explicit (§2.6) — the differentiator from ISO 9001.
AcceptanceAnnual product review · APQR / PQR · mgmt review minutes
Audit lens2008
PQS effectiveness · not just presence
Inspectors check whether PQS produces evidence of continual improvement — CAPA closure rates, change-control timeliness, deviation trends — not just whether the documents exist.
Audit anchorPQS effectiveness review · knowledge mgmt evidence
Inspector's eye
Q10 inspections increasingly look for evidence the PQS feeds back into pharmaceutical development — lessons learned crossing from commercial deviations into next-generation product development. A PQS without that feedback loop reads as paper compliance.
/ 04 ICH Q9(R1) · Quality Risk Management.★2005 / R1 January 2023 · the most-cited ICH document in 2024-2026 inspections. +
At a glance · the R1 step-change
SCOPE
Risk methodology that runs across Q8, Q10, Q11, E6(R3), M10. R1 (January 2023) added subjectivity management, knowledge-base risk, and digitalisation. The risk-language every modern inspector speaks.
LIMIT
Q9 is methodology, not a checklist. Implementation varies wildly — FMEA-heavy Western shops, HACCP-heavy generic shops, FTA in safety-critical software. R1 explicitly accepts the plurality and demands defensible tool selection.
Scope2005 / R1 2023
Risk lifecycle · identify, analyse, evaluate, control, communicate, review
Risk principles, framework, tools (FMEA, FMECA, FTA, HAZOP, HACCP, PHA, risk-ranking and filtering). R1 added Annex II.6 (subjectivity), §5.1 (knowledge), Annex II.7 (formality).
Section anchor§4 process · §5 mgmt · Annex II tools
When appliesalways
Every change, deviation, validation
Risk assessment is the universal precondition: change controls, deviation classifications, validation scope, supplier qualification, computerised-system risk, AI/ML risk under Q9(R1) §5.4.
TriggerAny decision that affects product quality · patient safety
Requires2023 R1
Documented, defensible, reviewed
Risk register or equivalent · documented tool selection · subjectivity acknowledged · periodic review · knowledge updated · assessment formality matched to risk significance.
AcceptanceDefensible documentation · updates traceable
Audit lens2023 R1
Subjectivity, knowledge, formality
Auditors now read R1 closely: how is subjectivity in scoring acknowledged? How is the underlying knowledge base maintained? Is the formality of assessment proportionate? Is digital-tool reliance documented?
Audit anchorRisk register currency · R1 §5.1, §5.4, Annex II.6/7
Inspector's eye
Q9(R1) is the dominant audit reference because it cuts across everything. Where Q9 (2005) was procedural, R1 introduced explicit expectations on subjectivity, knowledge-base maintenance, and digitalisation — the three areas where 2024-2026 inspections find the most paper-thin assessments.
/ 05 ICH Q12 · lifecycle management.Step 4 November 2019 · established conditions, post-approval changes. +
At a glance
SCOPE
Technical and regulatory considerations for pharmaceutical lifecycle management. Established conditions (ECs), Post-Approval Change Management Protocols (PACMPs), Product Lifecycle Management (PLCM) document.
LIMIT
Implementation uneven. FDA implemented Q12 with broad acceptance of established conditions. EMA narrower (variation framework retained). Health Canada, PMDA, ANVISA each at different adoption depths through 2026.
Scope2019 Step 4
Lifecycle · post-approval
§3 established conditions · §4 PACMPs · §5 PLCM · §6 PQS&CM · §7 relationship between regulatory and PQS · §8 structured approaches for analytical procedures.
Section anchor§3 ECs · §4 PACMP · §5 PLCM
When applies2019+
Marketed pharma products
Drug-product post-approval phase. Q12 is the bridge that promises fewer prior-approval supplements when the PQS is mature and ECs are well-defined. Triggers regulatory submission strategy choices early in development.
TriggerVariation, supplement · change category determination
Requires2019
PLCM document · ECs · PACMPs
Established conditions explicitly identified in submission. PLCM document submitted. PACMPs proposed for predicted changes. Ongoing CMC review built into PQS.
AcceptanceRegional variation framework · EC granularity accepted
Audit lens2019
PQS maturity · change-mgmt evidence
Inspectors look at change-control records, PLCM updates, EC tracking. The Q12 promise — less regulatory friction — is conditional on demonstrable PQS maturity.
Audit anchorChange history · PLCM revisions
Inspector's eye
Q12 is most useful for products with long commercial lifecycles — biologics, complex generics, ATMPs. The cost/benefit only emerges 5-10 years post-approval when accumulated change-management efficiencies show. Sponsors chasing short-cycle products often skip the PLCM document and lose the benefit.
/ 06 21 CFR Part 820 / QMSR.★FDA medical-device QMS · effective 2 February 2026. +
At a glance
SCOPE
FDA medical-device manufacturers. The QMSR final rule (Federal Register 2 February 2024, effective 2 February 2026) replaces the 1996 §820 with a regulation that incorporates ISO 13485:2016 by reference and adds FDA overlays (UDI, eMDR, complaint files, labelling).
LIMIT
Not all of §820 disappears: §820.10 (objective evidence), §820.35 (records), §820.45 (labelling), §820.198 (complaint files) retained or modified. Sponsors with §820-shaped QMSs spent 2024-2026 retrofitting clause numbers, design control language, and risk-management references.
Scope2026 effective
FDA-regulated devices · combination products (device constituent)
All FDA-regulated medical devices · in vitro diagnostics · combination-product device constituent. Excludes drug constituent of combination products (drug stays under §211).
Section anchorQMSR §820.10 · §820.35 · ISO 13485:2016 by reference
When appliesFeb 2 2026
Mandatory · no transition for new files
QMSR became enforceable on 2 February 2026 with no grandfather provision. Existing PMA / 510(k) holders must be QMSR-compliant on day one. Inspections from Q2 2026 onwards apply QMSR clause numbering.
TriggerAny FDA device inspection from 2 Feb 2026 onward
Requires2024 final / 2026 eff
ISO 13485:2016 + FDA overlays
Full ISO 13485:2016 compliance · UDI per 21 CFR 830 · eMDR §803 · complaint files §820.198 (modified) · labelling §820.45 · objective-evidence requirement §820.10 · risk management aligned with ISO 14971.
AcceptanceFDA inspection (BIMO / device) · ISO 13485 NB cert acceptable evidence
Audit lens2026
Pre-2026 QMSs read against post-2026 grammar
2026-2027 inspections will probe whether the §820-era language has been retired, whether risk management cross-references ISO 14971, whether design controls map to ISO 13485 §7.3, whether complaint-file definition reflects QMSR §820.198 update.
Audit anchorClause-number map · §7.3 design · ISO 14971 ref
Inspector's eye
The QMSR transition is the largest device-QMS change since 1996. Expect a new 483 category in 2026-2027: "QMS still references retired §820 clauses." Sponsors who treat QMSR as a cosmetic find/replace miss the structural change — ISO 13485 design controls and §820 design controls are differently scoped, and the risk-management language now references ISO 14971 explicitly.
/ 07 21 CFR Part 11.Electronic records · electronic signatures · the data-integrity floor. +
At a glance
SCOPE
Electronic records and electronic signatures in any FDA-regulated submission, predicate-rule record, or computerised system used in regulated operations. Defines audit-trail requirements, signature manifestations, validation, system access, training.
LIMIT
FDA's 2003 Scope and Application guidance narrowed enforcement focus; the underlying rule (1997) was never amended. ALCOA+ (Attributable, Legible, Contemporaneous, Original, Accurate + Complete, Consistent, Enduring, Available) is the operational reading inspectors apply across regulators.
Scope1997
Electronic records & signatures
§11.10 controls for closed systems · §11.30 open systems · §11.50/70 signature manifestations · §11.100 general requirements for electronic signatures · §11.200 components/controls · §11.300 ID code controls.
Section anchor§11.10(e) audit trail · §11.10(a) validation
When applies1997+
Any regulated computerised system
LIMS, ELN, eTMF, EDC, CDS, MES, eQMS, BI tools, AI/ML inference systems, anything that creates / modifies / stores predicate-rule records electronically.
TriggerPredicate rule reliance · regulatory submission
Requires1997
Audit trail, attribution, validation
System validation, audit trail with secure time-stamping, attribution to individuals (not shared accounts), authority checks, device checks for terminals, training, written policy on signature equivalence to handwritten signatures.
AcceptanceValidated system · audit-trail review evidence
Audit lens1997 / 2003 SaA
ALCOA+ as the operational test
Inspectors read Part 11 through ALCOA+. Routine audit-trail review is the failure point for most organisations — the rule has existed since 1997, the discipline rarely has.
Audit anchorALCOA+ · periodic audit-trail review SOP
Inspector's eye
Part 11 deficiencies are the most-cited finding category across FDA, EMA, MHRA, and TGA inspections combined. Audit-trail review — not whether the trail exists, but whether anyone reads it — is where the cited deviations cluster. AI/ML inference systems where the audit trail is not human-readable will be the next inspection wedge.
/ 08 EU Annex 11.Computerised systems · EU GMP Volume 4 · Annex 22 (AI) in finalisation. +
At a glance
SCOPE
EU GMP Annex 11 governs computerised systems used in regulated operations — LIMS, MES, ERP, CDS, EDC, eQMS — in EU jurisdictions. Companion to Part 11 in cross-Atlantic implementations. Most CSV programmes are designed to satisfy both at once.
LIMIT
Annex 11 is currently in revision; a draft revision opened consultation in 2022, and an AI-specific Annex 22 is in late-stage finalisation alongside it. The 2026 revisions are expected to align Annex 11 explicitly with ICH Q9(R1), Annex 22, and the EU AI Act.
Scope2011 (current)
Computerised systems · EU GMP
17 clauses: risk mgmt, personnel, suppliers, validation, data, accuracy checks, data storage, printouts, audit trails, change & configuration mgmt, periodic evaluation, security, incident mgmt, electronic signatures, batch release, business continuity, archiving.
Section anchor§4 validation · §9 audit trails · §11 periodic eval
When applies2011
EU GMP-bound operations
Any computerised system used in EU GMP operations: development, manufacture, QC, release, distribution. Inspectors apply Annex 11 to systems located outside the EU when those systems hold EU-relevant data.
TriggerEU MIA / IMP / cGMP · any EU-relevant electronic record
Requires2011
Lifecycle approach · risk-based
Validated systems with documented lifecycle (URS, FS, DS, IQ, OQ, PQ), supplier audit, accuracy checks for manual entry, audit trails reviewed routinely, change & configuration management, periodic evaluation, business continuity / disaster recovery.
AcceptanceValidated · periodically re-evaluated · incident records
Audit lens2011 + 2026 revision
CSV maturity · audit trails · AI readiness
Auditors check validation lifecycle deliverables, supplier qualification, audit-trail review records, change-control linkage. The 2026 Annex 22 will add AI/ML lifecycle controls (data, training, monitoring, retraining, post-market surveillance).
Audit anchorCSV deliverable map · periodic evaluation §11
Inspector's eye
Annex 11 inspections in 2024-2026 increasingly probe spreadsheet validation and SaaS-tool boundaries (where does the supplier's responsibility end and the regulated user's begin?). The pending Annex 22 is expected to land late 2026 / early 2027 and will reshape AI/ML lifecycle expectations across EU GMP.
/ 09 ISO/IEC 42001:2023.★December 2023 · the first international AI management system standard. +
At a glance · the AI-MS layer
SCOPE
An organisation-level AI Management System — the AI equivalent of ISO 9001. Published December 2023. Annex SL high-level structure — the same clause architecture as ISO 9001, 13485, 27001, 14001 — so it layers cleanly on existing QMSs without replacement.
LIMIT
42001 is management-system grammar, not a technical standard. It calls out impact assessments, lifecycle controls, transparency, and post-market monitoring — but the technical anchors live in ISO/IEC 23053, 23894, 5469 (medical AI), and the EU AI Act. Voluntary; certification market still maturing.
ScopeDec 2023
AI management system · horizontal
Annex A controls (38 controls across 9 categories): policies, internal organisation, AI system lifecycle, data, information for users, third-party relationships, system / org context, leadership, post-market monitoring.
Section anchorAnnex A controls · Annex B implementation guidance
When applies2024+
Voluntary · supplier · AI Act readiness
Voluntary now; rapidly becoming a tender / supplier-qualification baseline. Sponsors deploying AI in regulated operations (model-driven QC, automated bioanalytical peak integration, AI-augmented monitoring) use 42001 to evidence governance maturity to regulators and customers.
TriggerAI deployment in regulated operations · EU AI Act preparation
Requires2023
AI risk-impact · lifecycle · transparency
Documented AI policy, AI risk-impact assessments, lifecycle controls (data, design, V&V, deployment, monitoring, retraining, decommissioning), transparency mechanisms, third-party / supplier governance, post-market monitoring.
AcceptanceCertifying body audit cycle · 3-year recert
Audit lens2023
Layer on existing QMS · integrate
Auditors look for integration with the existing PQS / 13485 QMS — not a parallel system. AI risk register feeding Q9(R1) risk register; AI change-control crossing into the existing change-control SOP; AI post-market data feeding management review.
Audit anchorIntegration evidence · shared mgmt review minutes
Inspector's eye
42001 will become the AI-equivalent of 9001. Sponsors who treat it as a separate parallel management system fail the integration test — auditors expect AI governance to feed the existing CAPA, change-control, and management-review machinery. The EU AI Act Article 6(2) Annex III high-risk obligations applicable from 2 August 2026 sharpen this.
/ 10 GAMP 5 2nd edition.Validation lifecycle for computerised systems · ISPE 2nd ed. 2022. +
At a glance
SCOPE
Industry best-practice anchor for Computerised System Validation. Risk-based approach to validating GxP computerised systems across the full lifecycle — concept, project, operation, retirement. Used to satisfy Part 11 / Annex 11 in operational practice.
LIMIT
Not a regulation. ISPE-published industry guide. The 2nd edition (2022) added critical-thinking, agile / iterative-development, AI/ML, and software categorisation updates. Recognised by FDA and EMA inspectors as the implementation standard but not legally binding.
Scope2022 (2nd ed)
CSV lifecycle · risk-based · AI/ML appendices
V-model validation, software categorisation (1 infrastructure, 3 non-configured COTS, 4 configured, 5 custom), supplier assessment, risk-based testing, agile-development guidance, AI/ML lifecycle appendix.
Section anchorCat 4/5 · D8 AI/ML · D9 agile
When appliesalways
Default CSV implementation playbook
Used as the default playbook for any CSV programme — LIMS, MES, ERP, EDC, eTMF, eQMS, CDS, MES, BI, AI inference. Cited in supplier qualification, used in audit narratives, expected by every inspector.
TriggerCSV programme · supplier qual · system change
Requires2022
Lifecycle deliverables · risk-tiered testing
User Requirements Specification, Functional / Design Spec, configuration spec, IQ/OQ/PQ, requirements traceability matrix, risk-based test scope, supplier assessment, change & release management, periodic review.
AcceptanceValidation summary report · traceability matrix
Audit lens2022
Critical thinking · not paper-tick
2nd-edition's critical-thinking emphasis explicitly pushes against the "test everything" tendency. Auditors look for proportionate testing tied to documented risk, with the riskiest functions tested most.
Audit anchorRTM · test rationale · AI appendix evidence
Inspector's eye
GAMP 5 2nd edition's AI/ML appendix is the bridge text from CSV practice to ISO/IEC 42001 implementation. Sponsors building 42001 readiness should align AI lifecycle work to GAMP 5 D8 — auditors fluent in CSV will read 42001 evidence through GAMP 5 grammar.