2025-04-22

By Not Exists

FDA

This framework outlines key compliance requirements based on common areas of FDA regulation, including Quality System (QS) elements like management responsibility, design controls, production/process controls, and CAPA, as well as requirements for document/record control, electronic records/signatures (21 CFR Part 11), and medical device cybersecurity. It provides a structured overview of these critical areas for maintaining compliance with applicable FDA regulations.

Controls:

Establishes requirements for a quality system for medical device manufacturers.

Quality System Policy and Procedures - QS.1

Policies and procedures are established; documented; and maintained for the overall quality system.
Management Responsibility - QS.2

Management with executive responsibility establishes and maintains an adequate quality system.
Management Responsibility - QS.2.1

Adequacy of Quality Policy and Objectives.
Management Responsibility - QS.2.2

Effectiveness of Management Review.
Quality System - QS.3

The quality system is established; implemented; and maintained in accordance with FDA requirements.

Establishes requirements for controlling the design of medical devices.

Design Controls Policy and Procedures - DC.1

Policies and procedures are established; documented; and maintained for design control activities.
Design Planning - DC.2

Design and development planning activities are conducted and documented.
Design Inputs - DC.3

Design inputs are established; documented; and meet user needs and intended use.
Design Outputs - DC.4

Design outputs are documented; meet design input requirements; and are verified.
Design Review - DC.5

Planned and systematic reviews of the design are conducted and documented.
Design Verification - DC.6

Design verification activities are conducted and documented.
Design Validation - DC.7

Design validation activities are conducted and documented.
Design Transfer - DC.8

The design is correctly translated into production specifications.

Establishes requirements for controlling production and processes.

Production and Process Controls Policy and Procedures - PPC.1

Policies and procedures are established; documented; and maintained for production and process controls.
Process Control - PPC.2

Processes are controlled to ensure that a device conforms to its specifications.
Production and Installation - PPC.3

Requirements for production and installation are established and maintained.

Establishes requirements for corrective and preventive actions.

CAPA Policy and Procedures - CAPA.1

Policies and procedures are established; documented; and maintained for corrective and preventive actions.
CAPA System - CAPA.2

A system is established and maintained for implementing corrective and preventive actions.
CAPA System - CAPA.2.1

Data Analysis for Identifying Nonconformities.
CAPA System - CAPA.2.2

Investigation of Nonconformities.
CAPA System - CAPA.2.3

Implementation and Verification of Corrective and Preventive Actions.

Establishes requirements for controlling documents and records.

Document and Record Control Policy and Procedures - DRC.1

Policies and procedures are established; documented; and maintained for document and record control.
Document Control - DRC.2

Documents are controlled to ensure that necessary documents are available and obsolete documents are removed.
Record Control - DRC.3

Records are maintained to demonstrate compliance with quality system requirements.

Establishes requirements for electronic records and electronic signatures (21 CFR Part 11).

Electronic Records and Electronic Signatures Policy - ERES.1

Policies and procedures are established; documented; and maintained for electronic records and electronic signatures.
System Validation - ERES.2

Systems that create; modify; maintain; or transmit electronic records are validated.
Audit Trails - ERES.3

Audit trails are generated for systems that manage electronic records.
Electronic Signatures - ERES.4

Requirements for electronic signatures are established and maintained.

Establishes requirements and guidance for medical device cybersecurity.

Medical Device Cybersecurity Policy and Procedures - MDC.1

Policies and procedures are established; documented; and maintained for medical device cybersecurity.
Cybersecurity Risk Management - MDC.2

Cybersecurity risks are identified; analyzed; evaluated; controlled; and monitored throughout the device lifecycle.
Cybersecurity Testing and Verification - MDC.3

Cybersecurity requirements are verified and validated through testing.
Vulnerability Management - MDC.4

A process is established for identifying; assessing; and mitigating postmarket cybersecurity vulnerabilities.

Healthcare Organization GRC Software Case Study

FDA

FDA

Quality System Policy and Procedures - QS.1

Management Responsibility - QS.2

Management Responsibility - QS.2.1

Management Responsibility - QS.2.2

Quality System - QS.3

Design Controls Policy and Procedures - DC.1

Design Planning - DC.2

Design Inputs - DC.3

Design Outputs - DC.4

Design Review - DC.5

Design Verification - DC.6

Design Validation - DC.7

Design Transfer - DC.8

Production and Process Controls Policy and Procedures - PPC.1

Process Control - PPC.2

Production and Installation - PPC.3

CAPA Policy and Procedures - CAPA.1

CAPA System - CAPA.2

CAPA System - CAPA.2.1

CAPA System - CAPA.2.2

CAPA System - CAPA.2.3

Document and Record Control Policy and Procedures - DRC.1

Document Control - DRC.2

Record Control - DRC.3

Electronic Records and Electronic Signatures Policy - ERES.1

System Validation - ERES.2

Audit Trails - ERES.3

Electronic Signatures - ERES.4

Medical Device Cybersecurity Policy and Procedures - MDC.1

Cybersecurity Risk Management - MDC.2

Cybersecurity Testing and Verification - MDC.3

Vulnerability Management - MDC.4