6. Cross-Cutting Capabilities
6.1 Change-Management AI
What this module is, in one paragraph. Every regulated change has ripple effects: a change to Intended Use forces a CER review, a GSPR review, a Risk-file review, an IFU update, a DoC review; a change to a Risk Control forces a V&V test rerun, a Verification record update, a Validation review; a SOP update forces personnel retraining; an NB-certificate renewal forces revalidation of the device’s market authorisation. The most common regulatory failure mode for SMEs is forgotten ripples. MDR Art. 16 + Annex II §6.2 (V&V traceability), FDA 21 CFR 820.30(i) (design changes), ISO 13485:2016 §7.3.9, ISO 14971:2019 §4.4 (risk-management review), EU AI Act Art. 9 + Art. 43 (substantial-modification analysis), and FDA PCCP all require that the manufacturer identify, evaluate, and propagate change consequences. Wrapper’s Change-Management AI is a rules engine keyed on a regulator-citation-bearing rule table (90+ rules across four families: Document Dependency Propagation, Cross-Module Event Propagation, Form-Linked Impact Tracing, Regulatory Cap Gap Detection). When a rule fires, it writes structured findings into the AI Findings inbox naming the documents to review, the tests to re-run, the certificates to re-issue, the NB notifications to consider, and the owners to assign each action to. Closure of follow-up tasks rolls back into the Regulatory Health Score. Critically, the AI is HITL: it proposes, humans approve every action via PIN-signed Audit Signature — keeping Wrapper’s own AI in the Limited-Risk class under EU AI Act Art. 50 (transparency obligations only).
Regulatory pathway summary. Operationalises ISO 14971:2019 §4.4 (risk-management review on change); MDR Art. 16 + Annex II §6.2 (change-control traceability); FDA 21 CFR 820.30(i) design changes; FDA QMSR change-control; EU AI Act Art. 9 + Art. 43 + Annex IV (substantial-modification analysis); FDA PCCP boundary enforcement; ISO 13485:2016 §7.3.9 (design and development changes).
| Purpose | Make the ripple-effects of any change explicit, traceable, and auditable. |
| What the user sees | AI Findings in the AI Findings inbox with clear action items per affected document; severity-tagged; routed to owners; PIN-signed approval per action. |
| Regulatory frameworks | ISO 14971 §4.4; MDR Art. 16 + Annex II §6.2; FDA 21 CFR 820.30(i); EU AI Act Art. 9, 43, Annex IV; FDA PCCP; ISO 13485 §7.3.9. |
| Solves the regulatory problem of | Forgotten ripples — the #1 root cause of NB Annex II §5/§6 findings and FDA design-changes Form-483 observations. |
| Pathway milestone unlocked | Every artefact in §3-§5 stays current under change; ISO 14971 §4.4 evidence; MDR Art. 16 evidence; FDA §820.30(i) inspection readiness. |
Regulatory Specificity
Table 1 — Which rule family applies in which case (90+ rules)
| Rule family | Citation | Applies when… | Class |
|---|---|---|---|
| CM-001..031 (core change-mgmt) | MDR Art. 16 + Annex II §6.2; ISO 13485 §7.3.9; ISO 14971 §4.4 | Document / Process / Risk / Issue mutation | All classes |
| CM-032..050 (AI Governance) | EU AI Act Arts. 9, 14, 15, 43, 72; FDA PCCP | AI dataset / model / monitoring change | High-Risk AI |
| CM-051..064 (Supplier) | MDR Annex II §5; FDA 21 CFR 820.50; ISO 13485 §7.4 | Supplier qualification / performance / cert change | All classes |
| CM-071..090 (Cybersecurity) | FDA Cyber 2023; MDR Annex I §17; ISO 27001 Annex A | SBOM / Vuln / Incident / Access change | ISMS scope |
| Document Dependency Propagation | MDR Annex II §6.2; FDA 21 CFR 820.30(i) | Document changes affect dependents | All classes |
| Cross-Module Event Propagation | MDR Art. 83; FDA 21 CFR 820.100 | Vigilance / Audit / Supplier / EUDAMED event | All classes |
| Form-Linked Impact Tracing | MDR Annex II §6.2; FDA 21 CFR 820.30(f)(g) | Form-template / Form-submission revision | All classes |
| Regulatory Cap Gap Detection | EU AI Act Art. 9; ISO 13485 §8.2.4 | Periodic scan + on event | All classes |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Document Dependency Propagation (CM-001..031) | Intended-Use changed but CER not reviewed — NB Annex II §5 finding. |
| Cross-Module Event Propagation (CM-032..090) | Vigilance event triggers Risk-file review — auto-flagged. |
| HITL on every action | AI auto-action would push Wrapper into High-Risk class — HITL discipline keeps it Limited-Risk. |
| Rule-engine seed table | "Which rule fired here?" — answered by rule_id audit trail. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| All 90+ rules | Continuous regulator-defensible change-control evidence |
| HITL discipline | EU AI Act Art. 14 evidence; Limited-Risk classification for Wrapper own AI |
Why these regulations are non-negotiable. Forgotten ripples are the #1 root cause of NB Annex II §5/§6 findings — without a systematic ripple-engine, every change is a potential audit finding. EU AI Act Art. 43 requires substantial-modification analysis on every AI change; without rules, the analysis is ad-hoc and indefensible.
Who uses this module and when. Every owner sees findings routed to them. QMS Manager monitors aggregate. NB Auditor samples rule-engine output at every audit.
6.2 Regulatory Health Score
What this module is, in one paragraph. A deterministic 0–100 score per device per regulator computed nightly (and on every significant event) from weighted components: certificate validity (35 %), document completeness (25 %), document freshness (15 %), change load (10 %), cross-module risk (15 %). The score buckets into bands: GREEN (85–100) healthy, YELLOW (70–84) attention, ORANGE (50–69) gaps exist (submissions may be blocked), RED (<50) unmarketable. The executive view per device is one gauge per regulator (MDR / FDA / ISO 13485 / EU AI Act / ISO 27001); clicking the gauge expands into the contributing components with direct links to the documents, clocks, and findings dragging the score down. The score is deterministic arithmetic, not AI — every input is a queryable count, and the result is reproducible exactly given the same inputs.
Regulatory pathway summary. Aggregates evidence across MDR / FDA QMSR / ISO 13485 / EU AI Act / ISO 27001 / SOC-2; supports executive review per ISO 13485 §5.6.2 (management review inputs); operationalises continuous monitoring per ISO 13485 §8.2.4.
| Purpose | Give leadership a single audit-readiness signal per device per regulator. |
| What the user sees | A gauge per device per regulator on the Mgmt & Audit dashboard; drill-down to contributing components. |
| Regulatory frameworks | Aggregates evidence across MDR / FDA QMSR / ISO 13485 / EU AI Act / ISO 27001 / SOC-2; informs ISO 13485 §5.6.2. |
| Solves the regulatory problem of | "Can we sell tomorrow?" — answered with one number per device per regulator. |
| Pathway milestone unlocked | Continuous executive audit-readiness; ISO 13485 §5.6.2 management-review input. |
Score component breakdown.
| Component | Weight | Input |
|---|---|---|
| Certificate validity | 35 % | NB certificate expiry, ISO 13485 cert, MDSAP cert, ISO 27001 cert, SOC-2 Type-2 attestation validity |
| Document completeness | 25 % | Required-vs-present documents per framework checklist |
| Document freshness | 15 % | % documents within review period |
| Change load | 10 % | Open HIGH / CRITICAL Change-Mgmt-AI findings |
| Cross-module risk | 15 % | Open Vigilance / Supplier / Audit / Cyber items |
Bands. GREEN 85–100 (Healthy); YELLOW 70–84 (Attention); ORANGE 50–69 (Gaps; submissions may be blocked); RED <50 (Unmarketable; immediate action required).
Why deterministic, not AI. Auditors and inspectors will challenge any AI-derived "compliance score". A deterministic score is reproducible, explainable, and inspector-defensible — every component can be drilled to its source count.
Who uses this module and when. Executive sponsor weekly. QMS Manager daily. PRRC at every regulator submission. NB / FDA / Auditor at audit.
6.3 Smart Impact Mapper
What this module is, in one paragraph. The Smart Impact Mapper is the AI workflow behind Change-Management AI for content-driven regulatory exploration. It walks an 11-node graph (source loading → discovery → parallel search → sufficiency check → content loading → parallel entity analysis → synthesis → verification agent ↔ tool executor → tracker resolution → finding generation) with the verification agent able to call additional tools (Technical File inspector, Traceability Matrix navigator, Form Data lookup, Entity Relations walker) before committing a finding. Findings always land in the AI Findings inbox under "AI proposes, humans approve" — never autonomously close regulated records. This is the technical realisation of the EU AI Act Art. 14 Human-in-the-Loop contract. (A separate 7-node linear ChangeImpactGraphBuilder handles deterministic rule-engine evaluation; Smart Impact Mapper handles the open-ended content discovery cases.)
Regulatory pathway summary. Operationalises EU AI Act Art. 14 (Human Oversight); supports ISO 14971 §4.4 (change-review); supports MDR Art. 16 + Annex II §6.2 (change traceability).
| Purpose | The AI engine behind regulatory ripple analysis — HITL by architectural design. |
| What the user sees | AI Findings produced with reasoning trace, confidence score, suggested action items; the underlying graph is internal. |
| Regulatory frameworks | EU AI Act Art. 14; ISO 14971 §4.4; MDR Art. 16. |
| Solves the regulatory problem of | AI ripple-analysis without HITL = High-Risk classification under EU AI Act; with HITL = Limited-Risk. |
| Pathway milestone unlocked | EU AI Act Limited-Risk classification for Wrapper own AI; Art. 14 HITL evidence. |
Why HITL is non-negotiable. Under EU AI Act Annex III, point 5, AI that is itself a medical device is High-Risk. Wrapper’s own AI is not a medical device per se but influences regulated decisions — if it auto-acted, it would assume Provider obligations under Art. 16. HITL keeps Wrapper-own-AI in the Limited-Risk class with Art. 50 transparency obligations only.
Who uses this module and when. Every approver of AI Findings — the AI proposes, humans approve. AI/ML Lead monitors graph performance. PRRC confirms HITL discipline at every audit.
6.4 AI Findings Inbox + HITL Approval
What this module is, in one paragraph. A single inbox where every AI proposal across all of Wrapper — Smart Impact Mapper, Training-Impact, Risk Discussion, Form Suggestion, Supplier Bots (QualiBot / AuditBot / MonitorBot / RenewBot / SwitchBot), AI Governance triggers, Cybersecurity Change-Mgmt AI rules — lands as a structured row with severity, reasoning, confidence, suggested action items, and an assignee. Each finding can be Accepted, Modified, Overridden, or Declined, with the decision recorded as a PIN-signed Audit Signature for 21 CFR Part 11 + EU AI Act Art. 14 compliance. The action item then drives downstream work — opens a sub-issue, creates a CAPA, assigns retraining, freezes a model, schedules a doc review. The inbox is the single operational surface for the AI-proposes-humans-approve contract.
Regulatory pathway summary. Operationalises EU AI Act Art. 14 (Human Oversight); FDA 21 CFR Part 11 (electronic signatures on every decision); FDA AI/ML Action Plan; FDA SaMD HITL principles; ISO 13485 §4.1.6 (validation of QMS software).
| Purpose | Operationalise "AI proposes, humans approve" across all of Wrapper with full Part-11 + Art-14 evidence. |
| What the user sees | A single AI Findings inbox; severity-tagged tiles; reasoning trace; suggested action items; PIN-modal at every Accept / Modify / Override / Decline. |
| Regulatory frameworks | EU AI Act Art. 14; FDA 21 CFR Part 11; FDA AI/ML Action Plan; FDA SaMD HITL; ISO 13485 §4.1.6. |
| Solves the regulatory problem of | AI auto-action breaching HITL; Part-11-incompliant approval of AI suggestions; lack of single audit trail across all AI proposals. |
| Pathway milestone unlocked | EU AI Act Art. 14 HITL evidence; FDA Part 11 attestation for AI approvals; defensible Limited-Risk classification for Wrapper own AI. |
Who uses this module and when. Every approver of AI Findings continuously. QMS Manager monitors aggregate inbox status. PRRC at every audit. EU AI Act regulator at conformity assessment.
