Governance substrate: lived day-to-day.
The QA function structure · training and competency · change-control workflow · deviation handling · CAPA lifecycle · document control · management review · internal audit. The operational machinery underneath every QMS clause.
QA function structure.
Corporate · site · the working rolesThe QA function in a regulated organisation is not a single role. It is a layered structure with a corporate spine, site-specific arms, and named technical specialisms. The shape of this structure is what auditors read when they want to know whether the QMS is independent, resourced, and authoritative.
Corporate QA.
QA director / VP-Quality reporting to the CEO or the board. Owns the QMS architecture across sites, the corporate SOP set, supplier-quality oversight, and the management-review framework. Independence from manufacturing and commercial is a 21 CFR 211.22 expectation and an ISO 13485 §5.5.2 expectation.
Site QA.
Site-level QA managers and QPs (where applicable). Batch release authority, deviation owner, change-control gatekeeper, internal-audit lead at site level. Reports dotted-line to corporate QA, solid-line to site general manager — the structural tension regulators expect to see managed.
QC analysts.
Analytical-laboratory headcount under QC management (separate from operational analytical labs). Routine release testing, stability testing, OOS handling per ICH Q9(R1) and the 1993 Barr decision implementation guide.
Validation specialists.
Process validation, cleaning validation, equipment qualification, computer-system validation. Often a separate cost-centre under QA but matrixed to manufacturing and IT. The CSV team owns the GAMP 5 deliverable set; the process validation team owns the ICH Q8/Q11 deliverable set.
Regulatory affairs.
Sometimes inside QA, sometimes a peer function. Owns submission strategy, agency interaction, post-marketing commitments, label changes. Audit findings cluster on the QA / RA seam — CAPAs that should have triggered field-safety actions, post-approval changes that should have triggered variations.
AI / digital quality.
The newest role in the structure. Owns ISO/IEC 42001 implementation, AI risk-impact assessments, and the bridge between traditional CSV and the AI/ML lifecycle. Reports to corporate QA in mature shops, to IT in less-mature ones — structural placement is itself a maturity signal.
Training & competency.
From SOP-read to demonstrated practiceTraining records are one of the top-five inspection findings every year. Not because organisations don't train, but because the audit grammar shifted around 2018 from "did the operator read the SOP" to "can the operator demonstrate the practice." A modern training programme is built around competency matrices, role-mapped curricula, and demonstrated proficiency — not signed acknowledgements.
Role profiles.
Each regulated role mapped to required competencies: GMP fundamentals, ALCOA+ data integrity, deviation reporting, role-specific SOPs, role-specific platform training. Profile owned by HR + QA jointly.
Competency matrices.
Per-individual matrix tracking: required curriculum, attended training, demonstrated practice, periodic re-qualification. The audit-readable evidence that the role profile has been operationalised for each named individual.
Initial onboarding.
21 CFR 211.25 / ISO 13485 §6.2 / EU GMP Chapter 2: every employee in regulated activity receives initial GMP training, role training, data-integrity training before independent work. Time-bound: the file must show the date training was completed prior to first independent batch / sample / record.
Refresher cadence.
Annual GMP refresher, annual data-integrity refresher, role-specific refresher on SOP revision. Frequency keyed to risk: high-risk roles (release-decision, sterile fill, GxP IT admin) re-qualify annually; lower-risk roles 24-36 months.
On-the-job qualification.
Trainee shadow + supervised practice + assessed independent execution. Pre-2018 inspections accepted SOP-read as evidence; modern inspections expect an OJT log with supervisor attestation.
SOP-revision training.
Every SOP revision triggers a delta training package — the change is summarised, affected roles identified, training records updated before the revision goes effective. Effective date of an SOP cannot precede training-completion date.
Change-control workflow.
7 stages · risk-graded · cross-functionalChange control is the QMS's central nervous system. Every regulated change — equipment, process, supplier, document, software, raw material, analytical method, facility — routes through the same workflow. Different organisations choose different software (TrackWise, Veeva Vault, MasterControl); the workflow underneath is convergent because ICH Q10 §3.2.3 and ISO 13485 §7.3.9 are convergent.
Initiation & classification.
Change request raised by initiator. QA categorises: minor / moderate / major (or like-for-like / similar / new). Classification drives downstream requirements — risk assessment depth, regulatory notification, validation extent.
Risk assessment.
ICH Q9(R1) tool selection (FMEA, FMECA, risk-ranking) · assessment of patient-safety, product-quality, data-integrity, regulatory-compliance impact. Document the tool, the participants, the rationale, the outcome.
Cross-functional impact analysis.
Routes to QA, manufacturing, RA, validation, R&D, supply chain, IT, EHS. Each function declares impact + required actions. Regulatory impact assessment determines whether prior-approval supplement / variation / notification is needed.
Action plan.
Required actions consolidated: validation activities, document revisions, training, equipment qualification, supplier requalification, regulatory submissions, post-implementation monitoring. Each action with owner, due date, evidence requirement.
Approval.
Risk-graded approval signatures. QA Director approval mandatory for major changes. RA approval mandatory where regulatory submissions are required. Site QM approval for site-specific changes.
Implementation.
Actions executed in the planned sequence. Evidence collected per action. No deviation from approved plan without re-routing. Implementation date recorded; effectiveness check window starts.
Effectiveness check & closure.
30/60/90-day post-implementation effectiveness check — did the change achieve the intended outcome with no unintended consequences? Closure approval by change-control board / QA. Lessons captured back into knowledge management per ICH Q10 §2.6.
Deviation handling.
From event to root cause to closureA deviation is any departure from approved procedure, specification, or expected behaviour. The deviation system is where data-integrity, training, equipment, and process issues surface earliest. EU GMP Chapter 1 §1.4(xiv), 21 CFR 211.192, and ISO 13485 §8.3 each describe similar shape: identify, investigate, classify, root-cause, action, close, trend.
Detection & capture.
Operator-flagged or system-flagged. 24-hour reporting target. Initial classification provisional pending investigation.
Investigation.
Bracketed scope, sample retain, equipment hold, batch hold if necessary. Cross-functional investigation team for major events. Documented with timeline, evidence, witnesses.
Root-cause analysis.
Defensible RCA tool (5-Why, fishbone, fault-tree). The 1993 Barr decision case-law standard for OOS investigations applies. Hypothesis-driven; evidence-supported.
Risk & impact.
Patient safety, product quality, regulatory disclosure, data integrity. ICH Q9(R1) framework. Defines whether CAPA, field action, or notification is needed.
Closure & trending.
Closure approval by QA. Deviation feeds into trend register reviewed at management review. Recurring root causes escalate to systemic CAPA.
CAPA lifecycle.
Corrective · preventive · effectiveness-checkedCAPA is the most-cited 483 area in FDA medical-device inspections year after year, and the most-cited PIC/S finding category in EU GMP inspections. The reason is consistent: organisations open CAPAs but cannot demonstrate effectiveness. ISO 13485 §8.5.2 (corrective) and §8.5.3 (preventive) require a documented procedure, defined investigation, action implementation, effectiveness verification, change-control linkage. QMSR retains the §820.100 CAPA expectation in its post-Feb-2026 form.
CAPA trigger.
Sources: deviation root cause, complaint trend, internal audit finding, external audit observation, supplier non-conformance, post-market surveillance signal, recall, regulatory inspection finding.
Problem statement.
Quantified, scoped, time-bounded. Avoids the "operator error" trap — investigates the system that allowed operator error to reach product.
Containment / correction.
Immediate actions to prevent recurrence pending root-cause work. Quarantine, batch hold, field communication where applicable.
Root cause.
Same RCA discipline as deviation handling, with added scope question: is this an isolated event or a systemic gap? Systemic CAPAs reach across multiple deviations or complaints.
Corrective actions.
Address the root cause to prevent recurrence. Concrete, owner-assigned, due-dated. Cross-referenced to change-control where the action requires a controlled change.
Preventive actions.
Address related conditions to prevent occurrence elsewhere. Cross-site, cross-product, cross-process consideration. The 13485 §8.5.3 preventive arm is what most CAPA programmes underdeliver on.
Effectiveness verification.
Time-bound effectiveness check with measurable success criteria. The single most-cited gap in FDA 483s — CAPA closed without demonstrable effectiveness data. Post-implementation metrics tracked for 6-12 months.
Document control.
SOP hierarchy · work instructions · formsThe document hierarchy is the spine of operational governance. Policy at the top · procedure (SOP) · work instruction · form / record. ISO 13485 §4.2 and 21 CFR 820.40 (carried into QMSR) require document approval, identification of revision, distribution control, current-version availability at point of use, obsolete-version control, retention.
SOP architecture.
8 functional buckets · the working categorisationA regulated SOP set typically runs 100-400 procedures depending on scope. The functional categorisation below is the working shape recognised by FDA, EMA, MHRA, and PIC/S inspectors, and the shape ISO 13485 §4.2.4 implicitly assumes for the documented information requirement.
Quality system.
QMS architecture, document control, training, internal audit, management review, deviation, CAPA, change control, complaint handling.
Manufacturing · operations.
Production, packaging, labelling, batch record review, cleaning, in-process control, line clearance, environmental monitoring.
QC laboratory.
Sampling, testing, OOS handling, stability, reference standard management, equipment calibration, analytical method lifecycle.
Validation.
Process validation, cleaning validation, equipment qualification (DQ/IQ/OQ/PQ), CSV, analytical method validation, transport validation.
Supplier · materials.
Supplier qualification & audit, raw material specifications, incoming inspection, vendor management, supply continuity.
Regulatory.
Submission preparation, agency interaction, post-marketing commitments, recall procedures, field-safety actions, label control.
Clinical & PV.
GCP procedures, ICH E6(R3) site management, IMP handling, pharmacovigilance, ICSR processing, signal detection, PSUR/PBRER.
Digital & AI.
CSV per GAMP 5, Part 11 / Annex 11 implementation, ISO/IEC 42001 AI lifecycle, data integrity, audit-trail review, system access.
Management review.
Cadence · inputs · outputs · the executive QMS feedback loopManagement review is required by ISO 9001 §9.3, ISO 13485 §5.6, ICH Q10 §3.2.5, ISO/IEC 42001 §9.3 — the same management-system clause inherited across Annex SL. It is the executive feedback loop that closes the QMS. A management review with quality KPIs but no decisions is a frequent inspection finding.
Cadence.
Quarterly site-level review, semi-annual or annual corporate review. Required by procedure; chaired by senior management; minutes signed and retained.
Required inputs.
Audit results, regulatory inspection outcomes, customer complaints, deviation/CAPA trending, change-control performance, supplier performance, post-market surveillance, training compliance, KPI performance against quality objectives.
Required outputs.
Decisions on resource adequacy, QMS effectiveness, improvement opportunities, changes to quality objectives, escalations to board. Decisions must be traceable to inputs — meeting minutes are an audit artefact.
Quality objectives.
SMART quality objectives reviewed each cycle. KPI dashboard: deviation rate, CAPA closure timeliness, complaint rate, audit-finding closure rate, training compliance, on-time release.
AI / digital integration.
Post-2024, AI-related KPIs feed the same management review — AI risk register status, model-monitoring metrics, retraining cadence. ISO/IEC 42001 §9.3 expects the AI MS feedback loop to integrate with the existing QMS, not run separately.
The decision trail.
The structural test inspectors apply: can decisions made in management review be traced through change controls, CAPAs, and resource allocations? A review with no downstream evidence reads as performative.
Internal audit programme.
Risk-based plan · competent auditors · closure disciplineThe internal audit programme is the QMS's self-test. ISO 19011 (audit guidelines), ISO 13485 §8.2.4, 21 CFR 820.22 (carried into QMSR §820.10 by reference), EU GMP Chapter 9, and ICH Q10 §3.2.4 all require periodic internal audits with independent auditors, risk-based plan, documented findings, corrective actions, follow-up.
Annual audit plan.
Risk-based across functions, sites, suppliers. Approved by management. Plan review in management review.
Auditor independence.
Auditors not auditing their own area. Trained per ISO 19011. Lead auditors hold defensible qualifications — lead auditor course, demonstrated audit hours.
Audit execution.
Opening meeting, sample-based evidence collection, daily wash-up, closing meeting. Findings categorised: critical, major, minor, observation. Documented with evidence reference.
CAPA linkage.
Major / critical findings raise CAPAs. Minors and observations tracked in audit-finding register. Each finding owner-assigned, due-dated.
Closure & verification.
Findings closed only when evidence shows the underlying gap is resolved. Effectiveness check at next audit cycle. Recurring findings flagged in management review.