3. Design-Cycle Layer
3.1 Technical File (hardware)
What this module is, in one paragraph. The Technical File is the MDR Annex II dossier root — the structured set of documents demonstrating that a device meets the General Safety and Performance Requirements (Annex I), describes its design, manufacturing, intended use, and clinical evaluation. FDA 21 CFR 820.30 (Design Controls) demands the same evidence reorganised as a Design History File (§820.30(j) DHF), Device Master Record (§820.181 DMR), and Device History Record (§820.184 DHR). ISO 13485:2016 §7.3 (Design and Development) structures the lifecycle from planning (§7.3.2) through review (§7.3.4), verification (§7.3.6), validation (§7.3.7), transfer (§7.3.8), and changes (§7.3.9). Wrapper’s TF module is the dossier-root: hierarchical sections per regulatory framework, AI-classified document attachments, regulatory-framework tagging (MDR / FDA QMSR / ISO 13485 / EU AI Act / UKCA), device-class tagging (I / IIa / IIb / III / Implant), per-section completeness status, gap analysis against the applicable framework checklist. The standard hardware tab set covers Use Case → Requirements → Risk → Design Input → Design Output → a configurable series of Test tabs.
Regulatory pathway summary. Supports CE marking under MDR Annex II §1-8 (TF compilation) + Annex III (post-market TF) + Annex IX/X/XI NB routes; FDA design-controls evidence under 21 CFR 820.30(c)-(j) including DHF; FDA Device Master Record §820.181 + Device History Record §820.184; ISO 13485:2016 §7.3.1-9; MDSAP TF chapter (Chapter 2); UK MDR 2002 Part II §7A.
| Purpose | The structured Annex II / DHF dossier. |
| What the user sees | A TF dashboard with sections, completeness status, regulatory tagging; AI confidence per section; gap analysis against framework checklist. |
| Regulatory frameworks | MDR Annex II §1-8 + Annex III; FDA 21 CFR 820.30 + §820.181 + §820.184; ISO 13485 §7.3.1-9; MDSAP Chapter 2; UK MDR 2002 Part II §7A. |
| Solves the regulatory problem of | Annex II §5/§6 dossier desynchronisation discovered at NB audit; DHF missing required elements at FDA inspection. |
| Pathway milestone unlocked | NB Annex II/III dossier acceptance → CE certificate issuance (Annex IX §2.3 / Annex X §3); FDA 510(k) / De Novo / PMA submission; MDSAP Chapter 2 evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Device description and specification | MDR Annex II §1 | TF compiled | All classes |
| Information supplied by manufacturer | MDR Annex II §2 | Labelling + IFU | All classes |
| Design and manufacturing information | MDR Annex II §3; 21 CFR 820.30(c)-(d) | Design and manufacturing process | All classes |
| GSPR compliance | MDR Annex II §4 → Annex I | CE marking | All classes |
| Benefit-risk analysis | MDR Annex II §5 → Annex I §1 + §8 | All conformity assessment | All classes |
| Product VV | MDR Annex II §6; 21 CFR 820.30(f)+(g) | Design verification + validation | All classes |
| Post-market TF | MDR Annex III §1.1 | PMS plan + PMS report / PSUR attached | All classes |
| Design History File | 21 CFR 820.30(j) | FDA submission + inspection | FDA Class II, III |
| Device Master Record | 21 CFR 820.181 | All FDA-regulated devices | FDA Class II, III |
| Device History Record | 21 CFR 820.184 | Production lots | All classes (FDA scope) |
| Design Plan | 21 CFR 820.30(b); ISO 13485 §7.3.2 | Design and development activities | All classes |
| Design changes | 21 CFR 820.30(i); ISO 13485 §7.3.9 | Any design change | All classes |
| TF document control | MDR Annex II §1.6 | All TF documents | All classes |
| UKCA TF | UK MDR 2002 Part II §7A | UK market | UK scope |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Section completeness gauge | "Show me your Annex II coverage" — answered without dossier reassembly. |
| Per-section AI classification | Mis-filed documents (e.g. CER stored under Manufacturing) — flagged automatically. |
| Gap analysis vs framework | GSPR row missing justification — flagged before NB sees it. |
| Design Plan section | 21 CFR 820.30(b) Design Plan referenced but not retrievable — top-5 design-controls Form-483. |
| Design Changes record | Change made without §820.30(i) review — Form-483 + Warning-Letter material. |
| DHF index | DHF compilation incomplete — FDA inspection observation. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| TF section structure | NB Annex II/III dossier; CE certificate issuance |
| Design Plan + Design Changes | FDA 510(k) submission package; FDA inspection §820.30 readiness |
| DHF / DMR / DHR | FDA QMSR readiness (effective 2 Feb 2026) |
| UKCA TF tagging | UKCA marking via UK Approved Body (UK MDR 2002 Part II §7A) |
| Cross-framework checklist | MDSAP Chapter 2 evidence; ISO 13485 §7.3 surveillance pass |
Why these regulations are non-negotiable. Without a current and complete TF satisfying MDR Annex II §1-8 (Device description, IFU, Design and manufacturing, GSPR conformity, Benefit-risk, V&V, Specific aspects, plus Annex III post-market), CE certificate issuance is blocked at NB Annex II review — typical delay 4–8 weeks per re-submission cycle. FDA 21 CFR 820.30 is one of the four most-cited design-controls subparts in Form-483 observations; deficient DHF compilation routinely surfaces in Warning Letters.
Who uses this module and when. RA Lead and PRRC daily during development and submission cycles. Engineering daily for section updates. QMS Manager for §7.3.4 design review evidence. NB Auditor opens it at every audit — typically the first screen they request.
3.2 SaMD Technical File
What this module is, in one paragraph. Software as a Medical Device (SaMD) — software intended to be used for one or more medical purposes that performs these purposes without being part of a hardware medical device — requires evidence the hardware TF cannot represent. MDR Annex II still applies, but the content of each section shifts: "Design Output" is no longer a mechanical drawing but a frozen software release; "Design Input" includes the AI training dataset specification; risk includes drift, bias, and automation-bias. FDA’s SaMD framework + Clinical Decision Support guidance + PCCP final guidance + GMLP principles layer onto MDR; IEC 62304:2006+A1:2015 (Software Lifecycle) + IEC 81001-5-1:2021 (Health-Software Cybersecurity) + ISO 14971:2019 (Risk Management) specify the lifecycle and risk processes; EU AI Act Reg. 2024/1689 Annex IV specifies the AI technical documentation structure. Wrapper’s SaMD TF is a sibling of the hardware TF with 15 software-shaped tabs replacing the hardware tab set: Intended Use & Claims, Software Requirements, Architecture / SOUP / Interfaces, Algorithm / Model Registry, Dataset & Ground Truth, Risk Management, Cybersecurity, Verification, Clinical Validation, Usability / Human-AI Team, Labeling / Transparency, Release & Configuration, PCCP / AI Change Control, Post-Market AI Performance, Regulatory Submissions. Each tab carries citations to MDR Annex II, FDA SaMD/CDS/PCCP, IEC 62304, IEC 81001-5-1, ISO 14971, and EU AI Act Annex IV — so a single SaMD TF entry presents itself in five regulator lenses without duplicate evidence.
Regulatory pathway summary. Supports MDR Annex II adapted for SaMD; FDA SaMD final guidance (2017) + Clinical Decision Support guidance (2022) + PCCP final guidance (2024) + GMLP joint principles (FDA/Health-Canada/MHRA); IEC 62304:2006+A1:2015 software lifecycle (§5 development + §6 maintenance + §7 risk + §8 configuration + §9 problem resolution); IEC 81001-5-1:2021 health-software cybersecurity activities; ISO 14971:2019 (software risk integration); EU AI Act Reg. 2024/1689 Annex IV technical documentation; IMDRF/SaMD/N12 risk categorisation.
| Purpose | The SaMD-shaped Annex II equivalent — every regulator’s expectation in one place. |
| What the user sees | 15 tabs per device, each with regulator-citation mapping; controlled rows; "View as" lens (MDR / FDA / AI Act / IEC 62304 / IEC 81001-5-1). |
| Regulatory frameworks | MDR Annex II adapted; FDA SaMD/CDS/PCCP/GMLP; IEC 62304; IEC 81001-5-1; ISO 14971; EU AI Act Annex IV; IMDRF SaMD/N12. |
| Solves the regulatory problem of | Hardware TF tab structure collapses on software-specific evidence (Algorithm Registry, Dataset, PCCP, drift). |
| Pathway milestone unlocked | FDA SaMD submission; EU AI Act conformity assessment under Art. 43; NB SaMD-aware CE evidence; IEC 62304 §5 + §6 compliance. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Intended Use & Claims | MDR Annex II §1.1(c); FDA SaMD; EU AI Act Art. 11 + Annex IV §1 | Anchor of every claim | SaMD scope |
| Software Requirements | IEC 62304 §5.2; FDA 21 CFR 820.30(c); MDR Annex II §3 | Software development | SaMD scope |
| Architecture / SOUP | IEC 62304 §5.3 + §8.1 (SOUP); FDA Pre-market SW guidance | All software | SaMD scope |
| Algorithm / Model Registry (frozen) | FDA SaMD configuration-item; EU AI Act Art. 11; FDA PCCP | All AI/ML SaMD | High-Risk AI |
| Dataset & Ground Truth | EU AI Act Art. 10; FDA GMLP principle 4-6 | All AI/ML SaMD | High-Risk AI |
| SaMD risk | ISO 14971 §3-§7; IEC 62304 §7; EU AI Act Art. 9 | All SaMD | SaMD scope |
| Cybersecurity | IEC 81001-5-1 §4-§9; MDR Annex I §17; FDA Cyber Sept 2023; MDCG 2019-16 | All SaMD | SaMD scope |
| Verification | IEC 62304 §5.6; FDA 21 CFR 820.30(f); MDR Annex II §6 | All SaMD | SaMD scope |
| Clinical Validation | MDR Art. 61 + Annex XIV; FDA SaMD clinical validation; EU AI Act Art. 15 | Clinical claim | SaMD scope |
| Usability / Human-AI Team | IEC 62366-1; FDA + Health-Canada + MHRA transparency principles | All SaMD | SaMD scope |
| Labeling / Transparency | EU AI Act Art. 13 + Art. 50; MDR Annex I §23; 21 CFR 801 | All SaMD | SaMD scope |
| Release & Configuration | IEC 62304 §8 (configuration management) | All SaMD | SaMD scope |
| PCCP | FDA PCCP final guidance (2024) | AI/ML SaMD seeking iterative-improvement under FDA | FDA AI/ML scope |
| Post-Market AI Performance | EU AI Act Art. 72; FDA AI/ML Action Plan; MDR Art. 83 | All deployed AI | High-Risk AI |
| Regulatory Submissions | 21 CFR 807 / 812 / 814; MDR Art. 52 (NB submission); EU AI Act Art. 43 | Submission cycle | SaMD scope |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Frozen Model Registry | Foundation model silently updated (e.g. GPT version change) — FDA reproducibility violation; cannot reconstruct historical inference. |
| Dataset Ground Truth | Dataset bias unaddressed — EU AI Act Art. 10 Annex IV gap; FDA AI/ML Action Plan failure. |
| PCCP | Retraining outside PCCP boundary — FDA PCCP violation; submission re-required. |
| Cybersecurity tab | MDCG 2019-16 elements not produced — NB MDR Annex I §17 finding. |
| Configuration / Release | Software version, model version, dataset version not co-released — FDA SaMD configuration-item failure. |
| Inference Traceability (cross-link) | "Why did the AI produce this output for patient X on date Y?" — unanswerable → FDA + EU AI Act Art. 12 failure. |
| Usability / Human-AI Team | Automation-bias not addressed — IEC 62366 finding + AI Act Art. 14 finding. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full 15-tab SaMD TF | FDA SaMD submission; FDA inspection SaMD readiness |
| PCCP boundary | FDA AI/ML pre-determined-change-control approval (iterative AI without resubmission) |
| EU AI Act Annex IV mapping | EU AI Act Art. 43 conformity assessment |
| IEC 62304 + IEC 81001-5-1 | CE under MDR + AI Act dual conformity |
| Frozen Model Registry | Continuous regulator-defensible reproducibility |
Why these regulations are non-negotiable. Under EU AI Act Art. 11 + Annex IV, AI-enabled high-risk medical devices must carry Annex IV technical documentation before placing on the market after 2 August 2026 — without it, the device is unmarketable. FDA SaMD evidence is required at premarket review; without PCCP, every iterative AI update triggers a new submission cycle. IEC 62304 is mandatory for any SaMD intended for CE marking — without IEC 62304 §5 + §6 evidence, the NB cannot accept the TF.
Who uses this module and when. SaMD Engineering Lead daily during development. AI/ML Lead daily for Model Registry and Dataset tabs. Cybersecurity Officer for Cybersecurity tab. RA Lead at submission planning and during the §7.3 design review cycle. FDA reviewer at premarket review and post-market PCCP audits. NB Auditor at SaMD-aware CE audit and surveillance.
3.3 Master Technical File (MTF) Log
What this module is, in one paragraph. An MTF — Master Technical File — is the set of static documents that surround the live design matrix (use-cases, requirements, risks, verification tests). The MTF holds Plans (Design Plan, Risk-Management Plan, Clinical-Evaluation Plan, PMS Plan, PMCF Plan), the GSPR checklist (MDR Annex I — one row per requirement with justification, evidence document, harmonised-standard citation), the standards list, NB Certificates, the Declaration of Conformity, the IFU master, the regulatory strategy, the PRRC appointment letter (MDR Art. 15), the company-level ISO 13485 + MDSAP certificates, plus the SOPs and policies that the TF references. MDR Annex II demands all of these and CE marking is blocked until they are present, approved, and current. The MTF Log replaces folder-and-spreadsheet tracking with a structured, auditable, dashboard-driven log where every artefact has status, owner, expiry date, and a link to the device(s) it covers (by UDI).
Regulatory pathway summary. Supports CE marking under MDR Annex II + Annex III, NB conformity assessment routes Annex IX/X/XI; FDA design-controls evidence under 21 CFR 820.30 (QMSR effective 2 Feb 2026); ISO 13485:2016 §7.3 / §7.3.10; MDSAP TF chapter; UKCA under UK MDR 2002 Part II; EU AI Act Annex IV.
| Purpose | Single source of truth for every static TF document the regulator might ask for. |
| What the user sees | A dashboard tab (counts of approved / in-review / expiring) plus three log tabs: GSPR & Standards, Plans & Documents, Certificates & External Docs. Each row shows status, owner, last revision, expiry, linked device(s) by UDI. |
| What it replaces | The flat Technical Files list, scattered cert PDFs, ad-hoc spreadsheets tracking standards. |
| Regulatory frameworks | MDR 2017/745 Annex II §1-8 + Annex III; FDA QMSR (21 CFR 820.30); ISO 13485 §7.3 / §7.3.10 / §4.2.3; MDSAP TF chapter; UK MDR 2002 Part II; EU AI Act Annex IV. |
| Solves the regulatory problem of | TF/CER/Risk-file desynchronisation triggering NB Annex II §5 / §6 findings; NB certificate expiry unnoticed blocking CE renewal; design-controls evidence not retrievable at FDA inspection. |
| Pathway milestone unlocked | NB Annex II/III TF assessment; FDA submission package (21 CFR 820.30(j)); ISO 13485 stage-2 + surveillance audit pass; CE certificate renewal. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| GSPR checklist (Annex I) | MDR Annex I §1-23; UK MDR 2002 Sch. 1 | Any CE-marked or UKCA-marked device | All classes |
| TF compilation | MDR Annex II §1-8 | TF prepared / updated for NB assessment | All classes |
| Post-market TF | MDR Annex III §1.1 | PMS plan + PMS report (Class I) / PSUR (≥IIa) | All classes |
| Design-controls record | 21 CFR 820.30(c)-(j) | Device subject to design controls | FDA Class II, III |
| Design History File | 21 CFR 820.30(j) | FDA submission or QMSR audit | FDA Class II, III |
| Harmonised-standards list | MDR Art. 8; ISO 13485 §7.3.3 | Conformity claimed against OJEU list | All classes |
| NB certificate tracking | MDR Annex VII §4.3; (EU) 2017/745 Art. 56 | Class IIa/IIb/III with NB certificate | IIa, IIb, III, Implants |
| Declaration of Conformity | MDR Art. 19 + Annex IV | Device placed on EU market | All classes |
| IFU / labelling master | MDR Annex I §23; 21 CFR 801; UK MDR 2002 Reg. 10 | Device labelling under change control | All classes |
| PRRC appointment | MDR Art. 15 | Manufacturer in EU jurisdiction | All classes |
| Regulatory strategy | ISO 13485 §7.3.2; 21 CFR 820.30(b) | Pre-submission planning | All classes |
| AI Annex IV technical doc | EU AI Act Art. 11 + Annex IV | High-risk AI device | High-Risk AI |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Cert-expiry tracking | NB certificate lapses unnoticed — MDR Art. 56(4) removes device from EU market. |
| GSPR row status | Missing GSPR justification — NB Annex II §4 major non-conformity. |
| Standards-list versioning | Withdrawn harmonised standard still cited — NB observation. |
| DoC linked to UDI | DoC not retrievable per device — Art. 10(6) competent-authority request unanswerable. |
| IFU master under change control | Labelling drift — FDA 21 CFR 801 misbranding finding. |
| PRRC appointment | Missing appointment letter — MDR Art. 15 NB finding. |
| Regulatory strategy stored | Design-planning gap — 21 CFR 820.30(b) Form-483. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| TF section completeness | NB Annex II/III dossier acceptance → CE certificate issuance |
| Cert validity tracker | CE certificate renewal cycle (5-year max, Annex VII §4.8) |
| Design-controls log | FDA 510(k) submission; FDA inspection §820.30 readiness |
| Standards list | MDSAP Chapter 2 evidence |
| GSPR checklist | UKCA marking (UK MDR 2002 Part II §7A) |
| AI Annex IV | EU AI Act Art. 43 conformity assessment |
Why these regulations are non-negotiable. Without a current, signed Risk-Management Report aligned to ISO 14971:2019 and a GSPR row for every applicable requirement of MDR Annex I, a Notified Body cannot close Annex II §5 / §6 dossier review — CE certificate issuance is paused. An expired NB certificate (5-year cap, MDR Annex VII §4.8) removes the device from the EU market by operation of law (MDR Art. 56(4)); there is no grace period.
Who uses this module and when. The PRRC and RA Lead daily. The QMS Manager dashboard weekly. Internal Auditors during pre-surveillance dry-runs. NB Auditors open it directly at surveillance audit or unannounced visit.
3.4 UDI Registry
What this module is, in one paragraph. Every medical device placed on the EU or US market must carry a Unique Device Identifier (UDI) — a globally unique identifier resolved through an issuing agency (GS1, HIBCC, ICCBBA, IFA). MDR Art. 27 + Art. 29 + Annex VI Part C require manufacturers to assign and register both a Basic UDI-DI (the device-group identifier) and a UDI-DI (the device-variant identifier) to every device, and to register them in EUDAMED. FDA UDI Rule (21 CFR 830) imposes the equivalent in the US (GUDID database). The UDI is the cross-module key by which a regulator says "show me everything about this device" and gets a coherent answer — vigilance events, supplier components, design records, clinical evaluations, training assignments all join by UDI.
Regulatory pathway summary. Supports MDR Art. 27 (UDI system) + Art. 29 (registration of devices) + Annex VI Part C (UDI system details); FDA 21 CFR 830 (UDI Rule); IMDRF/UDI WG/N7 (UDI guidance); EUDAMED UDI/Devices module (mandatory 28 May 2026); GS1 / HIBCC / ICCBBA / IFA issuing-agency rules.
| Purpose | Make every device the queryable join key across the eQMS. |
| What the user sees | UDI Registry per project; issuing-agency tagging; ObjectUdi link from any regulated object to a UDI; UDI-DI variant tracking. |
| Regulatory frameworks | MDR Art. 27-29 + Annex VI Part C; 21 CFR 830; EUDAMED UDI/Devices; GS1/HIBCC/ICCBBA/IFA. |
| Solves the regulatory problem of | Vigilance event filed without UDI (Art. 87(5) rejection); FDA premarket missing UDI-DI; EUDAMED submission failure post 28 May 2026. |
| Pathway milestone unlocked | EUDAMED Device-Registration submission; FDA GUDID compliance; CE marking under MDR Art. 27. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Basic UDI-DI assignment | MDR Annex VI Part C §3.2 | Device group | All classes |
| UDI-DI assignment | MDR Annex VI Part C §3.3 | Device variant | All classes |
| UDI carrier on labelling | MDR Art. 27(3); 21 CFR 830.20 | Device labelling | All classes |
| EUDAMED UDI registration | MDR Art. 29 + Art. 31 | EU placement | All classes (EU scope) |
| FDA GUDID submission | 21 CFR 830.310 | FDA placement | FDA Class II, III, I (with exceptions) |
| Issuing-agency selection | MDR Art. 27(2); 21 CFR 830.100 | UDI assignment | All classes |
| ObjectUdi link | Cross-cuts MDR + FDA traceability | Any regulated object tied to a device | All classes |
| Re-issue on significant change | MDR Annex VI Part C §3.10 | Device-attribute change triggering new UDI | All classes |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Structured Basic UDI-DI | EUDAMED submission failure for missing field — 28 May 2026 deadline blocker. |
| FDA GUDID export | Submission rejected for missing UDI-DI — FDA refusal-to-accept finding. |
| ObjectUdi link | "Show me all events for this device" — unanswerable without UDI join. |
| Issuing-agency record | Wrong issuing agency selected — UDI invalidity at audit. |
| Re-issue logic | Variant change without UDI re-issue — MDR Annex VI Part C §3.10 violation. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full UDI registry | EUDAMED Device-Registration (28 May 2026 deadline); FDA GUDID compliance |
| ObjectUdi cross-link | Vigilance / Supplier / Training / Design records joinable by UDI |
| Re-issue logic | Continuous MDR Annex VI Part C compliance |
Why these regulations are non-negotiable. EUDAMED UDI/Devices is mandatory 28 May 2026 — without a registered Basic UDI-DI and UDI-DI per variant, the device cannot be placed on the EU market after that date. 21 CFR 830 enforced by FDA at GUDID; missing UDI is a refusal-to-accept finding at premarket review.
Who uses this module and when. RA Lead at every device launch and every variant. PRRC at every EUDAMED submission. QA at every labelling revision. Vigilance team at every incident logging.
3.5 Traceability Matrix (TFM)
What this module is, in one paragraph. A Traceability Matrix is the live grid linking Requirements ↔ Risks ↔ Design Inputs ↔ Design Outputs ↔ Tests ↔ Verification records — the single artefact every Notified Body asks to see first because it answers, in one screen, whether the entire design is internally consistent. MDR Annex II §6 (V&V) demands this traceability; FDA 21 CFR 820.30(f) (design verification) + §820.30(g) (design validation) demand the same in FDA jurisdiction; ISO 13485:2016 §7.3.6 + §7.3.7 specify the lifecycle activities; ISO 14971 §6 demands that every risk control is verified; IEC 62304 §5.6 + §5.7 demand the equivalent for software V&V and software risk control. Wrapper’s Matrix is a configurable grid where admins build column sets per regulatory framework, cells link to entities, revisions track per cell, locks prevent uncontrolled edits, and revisions are approval-bound (the Matrix is one of the seven polymorphic ObjectApproval object types).
Regulatory pathway summary. Supports MDR Annex II §6 (V&V traceability); FDA 21 CFR 820.30(f) (design verification) + §820.30(g) (design validation) + §820.30(e) (design review); ISO 13485:2016 §7.3.6 (verification) + §7.3.7 (validation); ISO 14971 §6 (risk-control implementation) + §7 (risk-control verification); IEC 62304 §5.6 + §5.7 (software V&V and risk).
| Purpose | The single artefact every NB asks to see first; the design-internal-consistency proof. |
| What the user sees | A configurable grid with diff-log per revision; lock semantics (TraceabilityMatrixLock); status per cell; cell drill-down to linked entities; column-configurator per framework. |
| Regulatory frameworks | MDR Annex II §6; FDA 21 CFR 820.30(e)(f)(g); ISO 13485 §7.3.6/.7; ISO 14971 §6 + §7; IEC 62304 §5.6 + §5.7. |
| Solves the regulatory problem of | V&V trace gaps at audit — the dossier finding that loses CE certificates. |
| Pathway milestone unlocked | NB Annex II §6 V&V dossier acceptance; FDA design-controls review pass; ISO 14971 §7 risk-control verification evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Requirements ↔ Design Output trace | MDR Annex II §6.2; 21 CFR 820.30(d) | Every Design Output | All classes |
| Design Input ↔ Verification trace | 21 CFR 820.30(f); ISO 13485 §7.3.6 | Every Design Input verified | All classes |
| Validation trace (Validation against user needs) | 21 CFR 820.30(g); ISO 13485 §7.3.7 | Every design validation | All classes |
| Risk ↔ Risk Control trace | ISO 14971 §6.2 + §6.4 | Every risk control | All classes |
| Risk Control ↔ Verification trace | ISO 14971 §7.1 + §7.2 | Every risk control verified | All classes |
| Software Unit ↔ Test trace | IEC 62304 §5.6.2 | Software unit verification | SaMD scope |
| Design Review records | 21 CFR 820.30(e); ISO 13485 §7.3.4 | Each design-review milestone | All classes |
| Matrix revision lock | ISO 13485 §7.3.9 (design changes) | Controlled change to matrix | All classes |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Live grid (always-current) | "Auditor opens spreadsheet → it is 6 months stale" — Annex II §6.2 finding. |
| Per-cell revision diff | "Show me the trace as of last release" — answered with revision diff. |
| Risk-Control verification trace | ISO 14971 §7.1 gap — top-three risk-management findings. |
| Validation against user needs | §820.30(g) gap — Form-483 observation. |
| Lock semantics | Uncontrolled edits to matrix — §7.3.9 design-changes violation. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full Matrix grid | NB Annex II §6 V&V dossier acceptance |
| Risk-Control verification | ISO 14971 §7 evidence; reduces "risk-control verification missing" findings to zero |
| Validation traceability | FDA 21 CFR 820.30(g) inspection readiness |
| IEC 62304 §5.6 trace | CE under MDR for SaMD |
Why these regulations are non-negotiable. V&V traceability is the #1 finding at NB Annex II audits — a Matrix that does not show every Risk Control linked to a Verification record fails ISO 14971 §7.1. FDA 21 CFR 820.30(g) (design validation) is one of the top-five design-controls Form-483 observations year-on-year.
Who uses this module and when. Engineering lead daily during development. RA Lead at every design review (§7.3.4). Risk owner at every risk-control update. NB Auditor at every TF assessment.
3.6 Risk Management (ISO 14971)
What this module is, in one paragraph. ISO 14971:2019 defines the Risk Management Process for medical devices: hazard identification (§5) → risk analysis (§5.4) → risk evaluation (§5.5) → risk-control option analysis (§6.2) → risk-control implementation (§6.3) → residual risk evaluation (§7) → risk-benefit analysis (§8) → risk-management report (§9). MDR Annex I §3 requires risk-management throughout the device lifecycle and MDR Annex II §5 requires the risk-management file in the TF. FDA 21 CFR 820.30(g) requires risk analysis as part of design validation. IEC 62304 §5.7 integrates software risk into the lifecycle. EU AI Act Art. 9 requires an AI Risk Management System for high-risk AI. Wrapper’s Risk module carries the full ISO 14971 chain: hazard log → evaluation (severity × probability) → control → benefit-risk → control-verification, each chain element revision-locked, approval-bound, and linkable to the Traceability Matrix and Verification tests. A separate RiskDiscussion AI assistant helps SMEs identify and refine hazards conversationally without ever auto-mutating the risk file (HITL by design).
Regulatory pathway summary. Supports ISO 14971:2019 §3-§10 (risk-management process); MDR Annex I §3 + §4 (general safety) + Annex II §5 (risk-management file); FDA 21 CFR 820.30(g) (design validation including risk analysis); IEC 62304 §5.7 (software risk in V&V) + §7 (software risk management); EU AI Act Art. 9 (AI risk management system); ISO/IEC 23894:2023 (AI risk management); ISO/TR 24971:2020 (guidance on ISO 14971).
| Purpose | The ISO 14971 Risk Management File, lifecycle-controlled. |
| What the user sees | Hazard log + Control log + Benefit-risk log + Control-verification log; revision lock + approval; RiskDiscussion AI assistant for hazard identification. |
| Regulatory frameworks | ISO 14971:2019 §3-§10; MDR Annex I §3 + §4 + Annex II §5; FDA 21 CFR 820.30(g); IEC 62304 §5.7 + §7; EU AI Act Art. 9; ISO/IEC 23894. |
| Solves the regulatory problem of | Risk file desynchronisation from CER / IFU / Design Outputs — the most common Annex II §5 finding. |
| Pathway milestone unlocked | NB Annex II §5 dossier; FDA risk-controls review; EU AI Act Art. 9 evidence; IEC 62304 §7 evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Hazard identification | ISO 14971 §5.3 | Every device lifecycle phase | All classes |
| Risk estimation (severity × probability) | ISO 14971 §5.4 | Every hazardous situation | All classes |
| Risk evaluation against acceptability | ISO 14971 §5.5 | Every estimated risk | All classes |
| Risk-control option analysis | ISO 14971 §6.2 | Every unacceptable risk | All classes |
| Risk-control implementation | ISO 14971 §6.3 | Every selected control | All classes |
| Residual-risk evaluation | ISO 14971 §7.1 | Every implemented control | All classes |
| Risk-benefit analysis | ISO 14971 §8 | Overall device benefit-risk | All classes |
| Risk-management report | ISO 14971 §9 | Pre-market + life-cycle reviews | All classes |
| Production + post-production information | ISO 14971 §10 | Post-market feedback loop | All classes |
| Software risk-management process | IEC 62304 §7 | All software in medical device | SaMD scope |
| AI Risk Management System | EU AI Act Art. 9 | High-risk AI device | High-Risk AI |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Hazard log | Hazards identified in workshops but never recorded — ISO 14971 §5.3 gap. |
| Risk-control verification | Risk control implemented but never verified — ISO 14971 §7.1 finding. |
| Benefit-risk record | Overall benefit-risk not analysed — MDR Annex I §1 + §8 gap; refusal of CE. |
| Production feedback loop | Post-market risk-data not fed back to risk file — ISO 14971 §10 gap. |
| AI Risk Management System (Art. 9) | AI hazards not analysed (drift, bias, automation-bias) — EU AI Act Art. 9 gap. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full ISO 14971 chain | NB Annex II §5 dossier acceptance; ISO 14971 surveillance pass |
| Risk-control verification | FDA 21 CFR 820.30(g) inspection readiness |
| Risk-management report | NB pre-market RMF review |
| AI Risk extension | EU AI Act Art. 9 conformity evidence |
| Software risk integration | IEC 62304 §7 evidence |
Why these regulations are non-negotiable. Risk-control verification gaps (ISO 14971 §7.1) are among the top-three risk-management findings at every NB audit. Under MDR Annex I §1, a device is not safe within the meaning of MDR if its risks have not been reduced as far as possible — without a complete RMF, the CE certificate cannot be issued.
Who uses this module and when. Risk owner daily during development. RA Lead at every §7.3.4 design review. PRRC at every risk-management report sign-off. NB Auditor at every TF audit — a frequent first-screen request.
3.7 Training
What this module is, in one paragraph. ISO 13485:2016 §6.2 (Human Resources) requires the manufacturer to determine the necessary competence for personnel performing work affecting product quality, provide training or take other actions to achieve the necessary competence, evaluate the effectiveness of the actions taken, maintain appropriate records of education, training, skills, and experience. FDA 21 CFR 820.25 (Personnel) imposes the equivalent. MDR Annex IX §2.2 specifies that the NB audits personnel competence. MDSAP Chapter 3 specifies the training-records inspection criteria. Wrapper’s Training module is the production-grade implementation: training assignments per person, role/group matrices (Person × Document, Group × Document, etc.), retraining schedules, competence evidence, plus 8 AI sentinels firing on regulated triggers (approval of a SOP revision, new role assignment, CAPA escalation, scheduled effectiveness scan, scheduled recertification-risk scan, etc.) that produce structured retraining findings in the AI Findings inbox — the QMS Manager approves which trainees need retraining; the system fans assignments out automatically. Acknowledgement of training-change is PIN-signed under Part 11.
Regulatory pathway summary. Supports ISO 13485:2016 §6.2 (competence + training); FDA 21 CFR 820.25 (personnel) + §820.20(b)(3) (organisation responsibility); MDR Annex IX §2.2 (NB audit of personnel); MDSAP Chapter 3 (Training); EU AI Act Art. 14 (HITL via PIN-signed acknowledge).
| Purpose | Demonstrable evidence of personnel competence at every level. |
| What the user sees | Five views (Training Log, Person Matrix, Group Matrix, Document Matrix, Audit Log); 12 AI tools; 8 AI sentinels; 4 PIN-signed action handlers (apply, create-curriculum, acknowledge, route). |
| Regulatory frameworks | ISO 13485 §6.2; FDA 21 CFR 820.25 + §820.20(b)(3); MDSAP Chapter 3; EU AI Act Art. 14. |
| Solves the regulatory problem of | "94% training compliance" not enough — auditor wants the 6% named with rationale. |
| Pathway milestone unlocked | NB personnel-competence audit pass; FDA inspection §820.25 readiness; MDSAP Chapter 3 evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Competence determination | ISO 13485 §6.2(a); 21 CFR 820.25(a) | Every regulated role | All classes |
| Training provision | ISO 13485 §6.2(b); 21 CFR 820.25(b)(1) | Identified competence gap | All classes |
| Effectiveness evaluation | ISO 13485 §6.2(c) | After training delivered | All classes |
| Awareness of relevance | ISO 13485 §6.2(d) | Every employee | All classes |
| Records of education / training | ISO 13485 §6.2(e); 21 CFR 820.25(b)(2) | All training events | All classes |
| Retraining trigger on document change | ISO 13485 §6.2(b); 21 CFR 820.25(b)(1) | SOP revision affecting role | All classes |
| Effectiveness scan | ISO 13485 §6.2(c) | Periodic re-evaluation | All classes |
| Recertification-risk scan | ISO 13485 §6.2(b) | Approaching certificate expiry | All classes |
| PIN-signed acknowledge | 21 CFR Part 11.50; EU AI Act Art. 14 | Training-change acknowledgement | FDA scope + AI HITL |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Person × Document matrix | "Show me everyone trained on SOP-014 v3" — answered in one query. |
| Retraining sentinel on doc approval | New SOP revision but staff still working to old version — §6.2 gap; major NB finding. |
| Effectiveness review | Training delivered but not evaluated — §6.2(c) gap. |
| PIN-signed acknowledge | "Did this person actually read the new SOP?" — answered by Part-11 signature row. |
| Recertification-risk scan | Trainer-of-trainers certificate expired without re-cert — §6.2 finding. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full matrix views | NB personnel audit pass; MDSAP Chapter 3 evidence |
| Effectiveness scan | ISO 13485 §6.2(c) evidence |
| 8 AI sentinels | Continuous retraining-readiness; reduces "should have retrained" findings |
| PIN-signed acknowledge | 21 CFR Part 11 attestation for training records |
Why these regulations are non-negotiable. ISO 13485 §6.2 is one of the most-audited clauses at every NB surveillance — particularly the effectiveness evaluation sub-clause (§6.2(c)), which is one of the top-five ISO 13485 stage-2 findings. FDA 21 CFR 820.25 is among the top-ten Form-483 citations in design-controls inspections.
Who uses this module and when. Trainees see assignments in /todo. QA drives matrix view daily. Auditors drive audit-log view. HR + QMS Manager at every role change. NB Auditor at every surveillance audit.
