2. Foundation Layer — The Chassis
2.1 Quality Event System (QES)
What this module is, in one paragraph. A Quality Event is any signal that might indicate a problem with the product, the process, or the QMS — a customer complaint, a service-engineer observation, an internal-audit finding draft, a near-miss from production, a chat message in support. ISO 13485:2016 §8.2.1 (Feedback) and FDA 21 CFR 820.198 (Complaint Files) require that every such signal be captured and triaged and a documented rationale explain why each one did or did not escalate to CAPA (§8.5.2). The classic SME failure mode is that signals live in email inboxes and chat logs and never reach the QMS — an audit finding waiting to happen. The QES forces every signal into a structured event with a six-state lifecycle (Triaged → Under Investigation → Root Cause Analysis → Corrective Action → Verification → Effectiveness Review), an event-chain linking the originating signal to all downstream issues it spawned, and a permanent audit-trail row for every status transition. The QES is the regulator-visible link between "a customer phoned" and "a CAPA was closed with effectiveness verified".
Regulatory pathway summary. Supports ISO 13485:2016 §8.2.1 feedback + §8.4 analysis of data + §8.5.2 corrective action + §8.5.3 preventive action; FDA 21 CFR 820.100 CAPA + §820.198 complaint files; MDR Art. 83 PMS plan + Annex III §1.1; MDSAP audit Chapter 4 (Measurement, Analysis, and Improvement); ISO 13485 §7.2.3 customer communication.
| Purpose | Capture every quality signal, force triage, prevent data leakage into informal channels. |
| What the user sees | A universal "report a quality event" entry point on every page; an Issue with isEvent styling; an event chain showing originating signal and downstream issues; six QES statuses to walk through; PIN-signed transitions for events triaged as CAPA-bound. |
| What it replaces or unifies | The gap between informal signal and formal CAPA — the place where most audit findings hide. |
| Regulatory frameworks | ISO 13485:2016 §8.2.1, §8.4, §8.5.2, §8.5.3; FDA 21 CFR 820.100, §820.198; MDR Art. 83 + Annex III §1.1; MDSAP Chapter 4; FDA 21 CFR 820.250 (statistical techniques) for trend analysis. |
| Solves the regulatory problem of | "Signal exists in email but never made it to CAPA" — the most common NB internal-audit finding under ISO 13485 §8.2.1; FDA 21 CFR 820.198(a) complaint-file gap (Form-483 Observation). |
| Pathway milestone unlocked | MDSAP Chapter 4 evidence; ISO 13485 surveillance-audit close-out of §8.2.1; FDA inspection readiness for complaint-files review under §820.198. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation (clause/article) | Applies when… | Class |
|---|---|---|---|
| Universal signal capture | ISO 13485 §8.2.1; FDA 21 CFR 820.198(a) | Any signal received from customers, service, or internal sources | All classes |
| Event triage (Triaged → Under Investigation) | ISO 13485 §8.2.1 + §8.5.2; FDA 21 CFR 820.100(a)(1) | Every signal must be triaged before CAPA escalation | All classes |
| Root-cause analysis | ISO 13485 §8.5.2(b); FDA 21 CFR 820.100(a)(3) | Triage promotes signal to investigation | All classes |
| Corrective action plan | ISO 13485 §8.5.2(c); FDA 21 CFR 820.100(a)(4) | Root cause identified | All classes |
| Verification of corrective action | ISO 13485 §8.5.2(d); FDA 21 CFR 820.100(a)(5) | Corrective action implemented | All classes |
| Effectiveness review | ISO 13485 §8.5.2(e); FDA 21 CFR 820.100(a)(6) | Verification passed | All classes |
| Event chain (signal → CAPA) | MDR Art. 83(2)(a); FDA 21 CFR 820.198(b) | All complaint records must trace to investigation outcome | All classes |
| Trend analysis (statistical) | MDR Art. 88; FDA 21 CFR 820.250 | Statistically significant increase in non-serious events | All classes |
| Customer communication record | ISO 13485 §7.2.3; FDA 21 CFR 820.198(e) | Information requested by customer or competent authority | All classes |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Universal signal capture | Service-engineer email never reaches QMS — NB Annex IX §2.2 internal-audit finding on "feedback channels not effective". |
| Event triage rationale | "Why did we close without CAPA?" not documented — FDA Form-483 observation under §820.198(a). |
| Root-cause analysis required | RCA missing — NB ISO 13485 §8.5.2(b) major non-conformity. |
| Effectiveness review | CAPA closed without effectiveness verification — the #1 FDA CAPA Form-483 observation. |
| Event chain | Complaint cannot be traced to investigation — §820.198(b) gap discovered at FDA inspection. |
| Trend analysis | Cluster of non-serious events not detected — MDR Art. 88 trend-reporting failure → competent-authority Art. 93 enforcement. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Six-state lifecycle | MDSAP Chapter 4 evidence (Measurement, Analysis, Improvement); ISO 13485 §8.2.1 surveillance-audit pass |
| RCA + effectiveness review | FDA inspection §820.100 readiness; ISO 13485 §8.5.2 evidence pack |
| Event chain | NB Annex IX §2.2 traceability evidence; MDSAP cross-process linkage |
| Trend analysis | MDR Art. 88 PSUR trend section; FDA 21 CFR 820.250 statistical-techniques evidence |
Why these regulations are non-negotiable. Without documented triage of every signal, ISO 13485 §8.2.1 is unsatisfied and the NB issues a major non-conformity at surveillance audit — typical recovery 30–60 days and remediation-audit cost. Without RCA and effectiveness verification, FDA 21 CFR 820.100(a)(3)–(a)(6) are open Form-483 items at inspection; persistent CAPA gaps trigger Warning Letters and Consent Decrees. A complaint file without a clear chain to investigation outcome (§820.198(b)) is one of the three findings every FDA inspector specifically looks for under the "complaint handling" inspection technique.
Who uses this module and when. Every employee uses the universal "report a quality event" entry point continuously. The QA Contact triages daily. The QMS Manager reviews open-event ageing weekly and trend statistics monthly. The PRRC sees serious-signal escalations within hours of triage. Internal Auditors drill into QES during the annual internal-audit cycle (ISO 13485 §8.2.3). NB Auditors open it at every surveillance audit and unannounced visit — QES is the second screen they open, immediately after the Technical File.
2.2 Document Control
What this module is, in one paragraph. A controlled document is any document that governs how a regulated activity is performed — an SOP, a Work Instruction, a Policy, a Form Template, a Record, an External Document — and must therefore be versioned, reviewed, approved, dated, distributed, and superseded under enforceable controls. ISO 13485:2016 §4.2.3 (control of documents) and §4.2.4 (control of records) require every document carry a defined status, a defined revision history, a defined approval cadence, and a defined retention period. FDA 21 CFR 820.40 (Document Controls) demands the same plus distribution control. 21 CFR Part 11 and EU GMP Annex 11 then layer on top: any document held electronically must have audit-trail, signature, access-control, and validation rigour. Wrapper’s Document Control gives every document an explicit status (Draft / In Review / Pending Approval / Approved / Effective / Superseded / Archived), an effective-date schedule promoted nightly by an automated job, an append-only FileHistory audit row for every mutation (action / old value / new value / actor / timestamp), and an approval ceremony binding the move to APPROVED to a PIN-signed AuditSignature row hash-chained against the prior signature.
Regulatory pathway summary. Supports ISO 13485:2016 §4.2.3 + §4.2.4 + §4.2.5 (control of records of external origin); FDA 21 CFR 820.40 (Document Controls) + §820.180–186 (Records); 21 CFR Part 11 Subpart B (electronic records) + Subpart C (electronic signatures); EU GMP Annex 11 §4 (validation), §5 (data), §7 (data storage), §9 (audit trail), §10 (change control); MDR Annex II §1.6 (TF document control); MDSAP Chapter 2 (Management Responsibility & Quality System).
| Purpose | Every regulated document is versioned, signed, dated, and inspector-traceable. |
| What the user sees | A document with explicit status; revision history with diff; e-signature row per approval; effective-date schedule; distribution log; retention policy applied automatically. |
| What it replaces or unifies | Network-folder document management with manual version naming; sharepoint shadow copies; the "which version is current?" audit question. |
| Regulatory frameworks | ISO 13485:2016 §4.2.3, §4.2.4, §4.2.5; FDA 21 CFR 820.40, §820.180-186; 21 CFR Part 11 Subparts B + C; EU GMP Annex 11 §4-10; MDR Annex II §1.6; MDSAP Chapter 2. |
| Solves the regulatory problem of | Effective-date drift (controlled document not in force when work was done); missing approval signatures; uncontrolled obsolete copies in circulation; revision-history gaps. |
| Pathway milestone unlocked | ISO 13485 §4.2 evidence pass; FDA inspection 21 CFR 820.40 readiness; NB document-control audit pass; 21 CFR Part 11 attestation; EU GMP Annex 11 evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Defined status lifecycle (Draft → Effective → Superseded) | ISO 13485 §4.2.3(b); 21 CFR 820.40(a) | Every controlled document | All classes |
| Approval before issue | ISO 13485 §4.2.3(a); 21 CFR 820.40(a)(1) | Move from Pending Approval → Approved | All classes |
| Review at planned intervals | ISO 13485 §4.2.3(b); 21 CFR 820.40(a)(1) | Periodic review trigger | All classes |
| Change identification + current status visible | ISO 13485 §4.2.3(c); 21 CFR 820.40(a)(2) | Every revision | All classes |
| Documents available at point of use | ISO 13485 §4.2.3(d); 21 CFR 820.40(b) | Distribution-controlled SOPs / WIs | All classes |
| Legibility + identification of obsolete | ISO 13485 §4.2.3(f); 21 CFR 820.40(c) | Superseded documents | All classes |
| Retention of obsolete | ISO 13485 §4.2.3(g); 21 CFR 820.180 | Document supersession | All classes |
| Records control (read-only after creation) | ISO 13485 §4.2.4; 21 CFR 820.180-186 | Quality records (Form Submissions, audit reports) | All classes |
| 21 CFR Part 11 electronic-record integrity | 21 CFR Part 11.10(a)-(k) | Any controlled document stored electronically | All classes (FDA jurisdiction) |
| 21 CFR Part 11 electronic-signature ceremony | 21 CFR Part 11.50, .70, .100, .200, .300 | Approval transitions | All classes (FDA jurisdiction) |
| EU GMP Annex 11 audit trail | Annex 11 §9 | EU GMP-regulated activity (e.g. sterile-device manufacture) | All classes (EU GMP scope) |
| EU GMP Annex 11 change control | Annex 11 §10 | Configuration-controlled change to a document | All classes (EU GMP scope) |
| TF document control specifically | MDR Annex II §1.6 | Documents forming part of the Technical File | All classes |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Effective-date scheduler | Document approved but staff worked on the prior revision because the effective date had not been announced — ISO 13485 §4.2.3(d) finding. |
| Append-only FileHistory | Auditor asks "show me revision 2.1 of SOP-014 on 14 March" — without the trail, the answer is "I think we had it then" — FDA 21 CFR 820.180 evidentiary failure. |
| Approval-bound transition | Document marked APPROVED with no signature row — 21 CFR Part 11.50 violation; NB Annex IX §2.2 finding on approval rigour. |
| Distribution control | Obsolete SOP still in circulation at production site — ISO 13485 §4.2.3(f) major non-conformity. |
| Status discriminator (Draft vs Effective) | Staff using a Draft as if it were Effective — 21 CFR 820.40(a) gap. |
| External-document control | Updated harmonised-standard version (OJEU change) not reflected in QMS reference list — ISO 13485 §4.2.5 finding; NB observation on standards currency. |
| Retention enforcement | Obsolete document deleted before retention period expired — 21 CFR 820.180 retention finding. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full status lifecycle | ISO 13485 §4.2 evidence pack; MDSAP Chapter 2 evidence |
| Approval + e-signature | 21 CFR Part 11 attestation; EU GMP Annex 11 compliance |
| Append-only FileHistory | FDA inspection §820.180 readiness; NB Annex IX audit-trail expectation |
| Effective-date promotion | Operational evidence for §4.2.3(d); reduces "wrong-version-used" findings to zero |
| External-doc tracking | Harmonised-standards currency for CE marking (MDR Art. 8); FDA recognition-of-consensus-standards readiness |
Why these regulations are non-negotiable. A document control system that cannot produce, in one click, the exact text in effect on a given date, fails the FDA "inspection-readiness" criterion under 21 CFR 820.180. A document approved without a corresponding 21 CFR Part 11.50 signature manifestation (printed name, date, meaning, signed-by-PIN) is a Part 11 violation per se — Warning Letter material. EU GMP Annex 11 §9 requires the audit trail to record every change to GMP data and is one of the EU GMP inspection’s first-day checks. MDR Annex II §1.6 integrates document control into the Technical File requirement: a TF document referenced without its current revision status is an Annex II §1.6 NB finding.
Who uses this module and when. Document authors create and version daily. Reviewers comment during review cycles (typically 2–4 weeks per revision). Approvers PIN-sign at approval gates. The QMS Manager runs the effective-date dashboard weekly and the periodic-review dashboard quarterly. Internal Auditors sample documents per the §8.2.3 audit-plan rotation. NB Auditors open it daily during the audit week. FDA Inspectors start their inspection with the document-control system — historically the first inspection focus.
2.3 Approval Engine + 21 CFR Part 11 Electronic Signature
What this module is, in one paragraph. An electronic signature under 21 CFR Part 11 Subpart C is not a checkbox or a typed name — it is a regulated ceremony binding three elements (the printed name of the signer, the date and time of execution, and the meaning associated with the signature — Approve, Authored, Reviewed, Accepted Responsibility, etc.) to a record in a way that cannot be excised, copied, or falsified. EU GMP Annex 11 §14 imposes the equivalent under EU law. FDA 21 CFR 820.40(b) requires that documents be approved before issue by designated individuals, with the date and signature recorded. Wrapper’s Approval Engine is a single polymorphic mechanism that drives approval for seven object types (Document, Process, Form Template, Form Submission, Traceability Matrix entry, Risk, AI Finding); every approval invokes a PIN ceremony (PIN HMAC-SHA256 hashed per-actor), records a controlled-vocabulary meaning validated against the action being approved (the meaning vocabulary itself is regulated — "Approve" is not interchangeable with "Verify Competence"), and writes the result to an INSERT-only **AuditSignature** ledger with UPDATE and DELETE permissions revoked at the database-grant level. Each signature carries a prev_hash SHA-256 chain to the previous signature — any tampering with a historical signature row breaks the chain forensically.
Regulatory pathway summary. Implements FDA 21 CFR Part 11 Subpart C (electronic signatures) — §11.50 (signature manifestations), §11.70 (signature/record linking), §11.100 (general requirements), §11.200 (electronic-signature components and controls), §11.300 (controls for identification codes/passwords); EU GMP Annex 11 §14 (electronic signatures); MDR Annex IX §2.2 (NB audit of approval procedures); FDA 21 CFR 820.40(b) (review and approval); ISO 13485:2016 §4.1.6 (controls applicable to software — including QMS software itself); EU AI Act Art. 14 (Human Oversight evidence) when applied to AI Finding approvals.
| Purpose | Every regulated state transition is forensically signed, every signature is regulator-defensible. |
| What the user sees | A PIN-modal at every approval step; signed-by + date + UTC timestamp + meaning visible on the signed record; an immutable history of every signature on a record. |
| What it replaces or unifies | Approvals via email; "wet-ink scanned and stored in SharePoint"; sign-as-typed-name dialogs that fail Part 11. |
| Regulatory frameworks | 21 CFR Part 11 Subpart C; EU GMP Annex 11 §14; MDR Annex IX §2.2; FDA 21 CFR 820.40(b); ISO 13485 §4.1.6; EU AI Act Art. 14. |
| Solves the regulatory problem of | "Show me the e-signature for this approval" — answered in one second per record with full chain integrity. |
| Pathway milestone unlocked | FDA 21 CFR Part 11 compliance attestation; EU GMP Annex 11 evidence; NB approval-procedures audit pass; EU AI Act Art. 14 HITL evidence for AI-Finding approvals. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Two-factor identity (PIN + identified user) | 21 CFR Part 11.200(a)(1) | First signing within a session | All classes (FDA scope) |
| Continuous-session signing | 21 CFR Part 11.200(a)(1)(ii) | Subsequent signings in same continuous session | All classes (FDA scope) |
| Signature manifestation (printed name + date/time + meaning) | 21 CFR Part 11.50 | Every electronic signature | All classes (FDA scope) |
| Signature inseparable from record | 21 CFR Part 11.70 | Every electronic signature on a record | All classes (FDA scope) |
| Controlled meaning vocabulary | 21 CFR Part 11.200(b) | Action-specific approval (Approve vs Authored vs Reviewed) | All classes |
| Audit-trail of identification codes | 21 CFR Part 11.300(d) | Loss / theft / re-issue of PIN | All classes (FDA scope) |
| Signature on TF document | MDR Annex II §1.6 + Annex IX §2.2 | Every TF document approval | All classes |
| Signature on risk-control verification | ISO 14971 §6 + §7; ISO 13485 §7.3.6 | Risk-control verification result | All classes |
| Signature on CAPA closure | ISO 13485 §8.5.2(e); FDA 21 CFR 820.100(a)(6) | CAPA effectiveness review closed | All classes |
| Signature on AI-Finding approval | EU AI Act Art. 14(4)(b); FDA 21 CFR Part 11 | AI proposal accepted/declined/modified by human reviewer | High-Risk AI |
| Signature on EUDAMED submission | MDR Art. 31(2) + Art. 56(5) | Actor SRN issuance + NB-certificate sync | All classes |
| Hash-chain tamper-evidence | 21 CFR Part 11.10(c) (protection of records) | Signature-ledger integrity | All classes (FDA scope) |
| Per-actor PIN storage (HMAC) | 21 CFR Part 11.300(a) | Every actor with signing privileges | All classes (FDA scope) |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Two-factor at session start | "User logged in but I’m not sure they actually signed" — 21 CFR Part 11.200(a)(1) failure → Warning Letter material. |
| Controlled meaning vocabulary | Signature meaning "Approved" used for both authorship and approval — Part 11.50 ambiguity, blocking attestation. |
| Hash-chain | Auditor asks "prove this signature wasn’t backdated" — without chain, no proof. |
| INSERT-only ledger | DBA could theoretically rewrite history — DB-grant revocation of UPDATE/DELETE eliminates the threat. |
| Polymorphic across 7 object types | Signatures on Risk verification differ in format from signatures on Document approval — auditor sees inconsistency. Single engine eliminates the variance. |
| Signature inseparable from record | Signature file disconnected from the record it signed — 21 CFR Part 11.70 violation. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Full Part 11 ceremony | FDA 21 CFR Part 11 attestation; FDA inspection Part 11 readiness |
| EU GMP Annex 11 §14 alignment | EU GMP inspection pass for electronic signatures |
| MDR Annex IX §2.2 approval rigour | NB approval-procedures audit pass |
| EU AI Act Art. 14 HITL evidence | AI Act conformity assessment for high-risk AI |
| Hash-chained ledger | Continuous tamper-evidence; reduces "could records have been altered?" challenge to zero |
Why these regulations are non-negotiable. 21 CFR Part 11 is the FDA’s single most-cited regulation in Warning Letters concerning electronic records (over 200 citations in the 2020–2024 period). A non-Part-11-compliant approval system in an FDA-regulated company is categorically blocking for both inspection pass and submission acceptance. EU GMP Annex 11 §14 is the EU equivalent and is similarly enforced. MDR Annex IX §2.2 specifies that the NB audits approval procedures including their software implementation — a deficient approval engine is an Annex IX major non-conformity. For AI Findings specifically, EU AI Act Art. 14(4)(b) requires that humans exercising oversight can "decide… not to use the high-risk AI system" — recorded as an approval action with traceable rationale.
Who uses this module and when. Every approver who PIN-signs (Document authors at issue, QA at CAPA closure, Engineering at design freeze, RA at TF approval, PRRC at vigilance submission, AI reviewers at AI-Finding accept/decline). The QMS Manager consumes the signature ledger weekly for audit-readiness review. FDA inspectors test the ledger during Part 11 inspections (random-sample audit-trail walks). NB auditors test the ledger at every surveillance audit.
2.4 Audit Trail (per-entity ObjectJournal)
What this module is, in one paragraph. Audit trails under 21 CFR Part 11.10(e) must be computer-generated, time-stamped, independent, and capable of being copied without altering the original — and they must capture every operator action that creates, modifies, or deletes electronic records, including the prior value, the new value, the action taken, the actor, and the date/time. EU GMP Annex 11 §9 demands the same and requires that the audit trail itself be reviewable. ISO 13485:2016 §4.2.4 + §4.2.5 require that quality records remain legible, identifiable, and retrievable. Wrapper’s per-entity Audit Trail is a separate mechanism from the approval signature ledger — it captures the broader "every-mutation" trail across regulated entities (Documents, Issues, Training assignments, Risk controls, Form Submissions, Approvals themselves) so a regulator can reconstruct, on demand, the exact history of any regulated record from creation to its current state.
Regulatory pathway summary. Implements 21 CFR Part 11.10(e) (audit trail) + §11.10(c) (protection of records); EU GMP Annex 11 §9 (audit trail); ISO 13485:2016 §4.2.4 + §4.2.5 (control of records); MDR Annex IX §2.2 (NB audit of records and traceability); ISO 27001:2022 Annex A 8.15 (logging); SOC-2 CC7.2 + CC7.3 (system monitoring + event response).
| Purpose | Reconstruct any record’s full mutation history on demand. |
| What the user sees | A per-record audit tab showing every change with diff (old value → new value), actor, UTC timestamp, action type. |
| What it replaces | Application-level logs that auditors cannot read; legacy "last modified" stamps with no diff. |
| Regulatory frameworks | 21 CFR Part 11.10(e), §11.10(c); EU GMP Annex 11 §9; ISO 13485 §4.2.4 + §4.2.5; MDR Annex IX §2.2; ISO 27001 Annex A 8.15; SOC-2 CC7.2/.3. |
| Solves the regulatory problem of | "Reconstruct how this regulated record reached its current state" — the auditor’s most-asked question. |
| Pathway milestone unlocked | FDA Part 11 inspection-readiness; EU GMP Annex 11 evidence; NB Annex IX traceability evidence; ISO 27001 Annex A 8.15 logging evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Computer-generated trail | 21 CFR Part 11.10(e) | All regulated electronic records | All classes (FDA scope) |
| Time-stamp at UTC precision | 21 CFR Part 11.10(e) + §11.10(d) | All record mutations | All classes (FDA scope) |
| Prior + new value retention | 21 CFR Part 11.10(e) | All record mutations | All classes (FDA scope) |
| Independent of operator | 21 CFR Part 11.10(e) | Operator cannot modify the trail | All classes (FDA scope) |
| Copy-without-altering | 21 CFR Part 11.10(e) | Inspector requests copy of trail | All classes (FDA scope) |
| Audit-trail review | EU GMP Annex 11 §9 | Routine GMP review of trails | All classes (EU GMP scope) |
| Record retention | ISO 13485 §4.2.4 + §4.2.5; 21 CFR 820.180 | Throughout retention period | All classes |
| Logging completeness | ISO 27001 Annex A 8.15 | All security-relevant events | All classes (ISMS scope) |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Independent computer-generated | "User claims they didn’t change it but the timestamp says they did" — operator-independent trail wins the dispute. |
| Prior + new value diff | "What did the record look like before this edit?" — answered with the diff. |
| UTC time-stamp | Time-zone drift inviting tampering claims — UTC eliminates ambiguity. |
| Tamper-evidence | "Could the trail itself have been edited?" — chain integrity precludes. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Universal per-entity trail | FDA Part 11 inspection-readiness; EU GMP Annex 11 §9 compliance |
| Diff format | Annex IX §2.2 traceability evidence; MDSAP Chapter 2 record-control evidence |
| ISMS-grade logging | ISO 27001 stage-1 + stage-2 readiness; SOC-2 CC7.2 evidence |
Why these regulations are non-negotiable. An audit trail that fails the "independent of operator" criterion under 21 CFR Part 11.10(e) is treated by FDA inspectors as effectively no trail — a Warning Letter trigger. A trail without prior/new value capture (only "modified by X at Y") fails the "reconstruct prior states" test under EU GMP Annex 11 §9 at EU GMP inspection. For ISO 27001:2022 Annex A 8.15, missing logs for privileged operations are a stage-2 audit finding that blocks certification.
Who uses this module and when. Auditors open the trail at every record-level investigation. QMS Manager samples trails during the §8.2.3 internal-audit cycle. Information Security Officer consumes the trail as one input to SOC-2 evidence (alongside the system-level logs). FDA inspectors and NB auditors test the trail at every audit.
2.5 Project Management
What this module is, in one paragraph. Every regulated artefact must be scoped — to a device, to a programme, to an organisation — so that "which device does this belong to?" never goes unanswered at audit. ISO 13485:2016 §7.1 (Planning of product realisation) requires that the manufacturer plan and develop the processes needed for product realisation, including determining the verification, validation, monitoring, measurement, inspection, and test activities specific to that product. FDA 21 CFR 820.30(b) (Design and Development Planning) requires a Design Plan describing or referencing the design and development activities, defining responsibility, identifying and describing the interfaces. Wrapper’s Project Management layer scopes Issues, Risks, Technical Files, Traceability Matrices, Training assignments, and CAPA records to a Project (the device-programme container) and surfaces a project summary view with member roster, status gauges, and direct links into the scoped TF / Matrix / Risk / Issue inbox.
Regulatory pathway summary. Supports ISO 13485:2016 §7.1 + §7.3.2 (design and development planning); FDA 21 CFR 820.30(b) + §820.20(b)(3) (organisation responsibility); MDR Annex II §3 (manufacturing information including process design); ISO 13485 §5.5.1 (responsibility and authority).
| Purpose | Scope every regulated artefact to a device programme; ensure responsibility is identifiable. |
| What the user sees | Project summary view with member roster, project-scoped gauges (open issues, overdue, RACI), direct links to scoped TF / Matrix / Risk / Training. |
| Regulatory frameworks | ISO 13485 §7.1, §7.3.2, §5.5.1; FDA 21 CFR 820.30(b), §820.20(b)(3); MDR Annex II §3. |
| Solves the regulatory problem of | "Which device does this artefact belong to?" — unanswerable in folder-based systems. |
| Pathway milestone unlocked | Design-Plan readiness; NB Annex II §3 evidence; FDA design-controls planning evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Project-scoped Risks | ISO 13485 §7.1; ISO 14971 §3.4 | Risk file per device | All classes |
| Project-scoped Design Plan | FDA 21 CFR 820.30(b) | Class II/III + select Class I | FDA Class II, III |
| Member roster + RACI | ISO 13485 §5.5.1; §6.2 | Responsibility evidence | All classes |
| Project-scoped TF | MDR Annex II §3; 21 CFR 820.30(j) | TF compiled per device | All classes |
| Project-scoped Matrix | MDR Annex II §6; 21 CFR 820.30(f)(g) | V&V trace per device | All classes |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Project as join key | Audit question "show me all artefacts on this device" — single-filter answer. |
| RACI in project | "Who is responsible for X on this project?" — answered by member-role view. |
| Design Plan placeholder | 21 CFR 820.30(b) Design Plan referenced but not retrievable — FDA Form-483 observation. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Project scoping | Design-Plan readiness for FDA inspection; NB Annex II §3 evidence |
| RACI evidence | ISO 13485 §5.5.1 + §6.2 evidence |
Why these regulations are non-negotiable. Without a structured Design Plan referencing the design and development activities, FDA 21 CFR 820.30(b) is open at inspection — historically one of the top-five design-controls Form-483 citations. MDR Annex II §3 Technical File requires manufacturing-information that ties to the device — without a Project-scoped TF, the dossier fails Annex II §3 evidence.
Who uses this module and when. Engineering lead daily during development. RA Lead at submission planning. QMS Manager during the §8.2.3 audit cycle. NB auditor at TF assessment.
2.6 User / Role / Permission / Organisation
What this module is, in one paragraph. A regulated multi-tenant SaaS must satisfy two distinct access-control regimes: 21 CFR Part 11.10(d) + Part 11.300 (access controls) for FDA-regulated electronic records, and EU GMP Annex 11 §12 (security) for EU GMP-regulated activities. Beyond regulatory access control, ISO 27001:2022 Annex A 5.15–5.18 + 8.2–8.5 demand a managed information-security access-control regime, and SOC-2 CC6 (Logical and Physical Access Controls) demand evidence of provisioning, deprovisioning, privileged-access review, and authentication strength. Wrapper’s User / Role / Permission model is multi-tenant (every regulated row carries organization_id), authenticated through a security service registry with PIN-based ceremonies for regulated approvals, and permissioned at URL-path-keyed granularity — access is granted to specific endpoints rather than to abstract features, which is the auditor-defensible model. Active organisations are enumerated for all scheduled jobs and recomputations.
Regulatory pathway summary. Supports 21 CFR Part 11.10(d) + Part 11.300; EU GMP Annex 11 §12; ISO 27001:2022 Annex A 5.15–5.18, 8.2–8.5; SOC-2 CC6.1–CC6.8; ISO 13485:2016 §5.5.1 (responsibility and authority); MDR Annex IX §2.2 (NB audit of access procedures).
| Purpose | Tenant isolation + URL-precise access control + SOC-2/ISO-27001 access evidence. |
| What the user sees | Role-based UI; permissions visible per endpoint; provisioning/deprovisioning workflow; privileged-access review tab. |
| Regulatory frameworks | 21 CFR Part 11.10(d), §11.300; EU GMP Annex 11 §12; ISO 27001 Annex A 5.15-18, 8.2-5; SOC-2 CC6; ISO 13485 §5.5.1. |
| Solves the regulatory problem of | "Who has access to this regulated record and on what authority?" — answered with a per-endpoint permission map. |
| Pathway milestone unlocked | FDA Part 11 access-control attestation; EU GMP Annex 11 §12 compliance; SOC-2 CC6 evidence; ISO 27001 Annex A 5.15 + 8.2 evidence. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Limit system access to authorised individuals | 21 CFR Part 11.10(d); Annex 11 §12; ISO 27001 A.5.15 | All access to regulated records | All classes |
| Unique user identification | 21 CFR Part 11.200(a)(2); ISO 27001 A.5.16 | One user account = one identifiable individual | All classes |
| Authority checks (operation-specific) | 21 CFR Part 11.10(g); ISO 27001 A.5.18 | Privileged operations | All classes |
| Periodic access review | ISO 27001 A.5.18; SOC-2 CC6.3 | Quarterly minimum for privileged access | ISMS scope |
| Provisioning workflow | ISO 27001 A.5.16; SOC-2 CC6.2 | New user / role change | ISMS scope |
| Deprovisioning workflow | ISO 27001 A.5.16 + A.6.5; SOC-2 CC6.2 | Termination / role change | ISMS scope |
| PIN strength + lockout | 21 CFR Part 11.300(a)-(d); ISO 27001 A.8.5 | All actors with signing privileges | FDA scope + ISMS |
| Multi-tenant isolation | ISO 27001 A.8.34; SOC-2 CC6.7 | SaaS multi-tenancy | ISMS scope |
| Audit trail of authentication events | ISO 27001 A.8.15; SOC-2 CC7.2 | All login attempts | ISMS scope |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| URL-path permission | "Who can post to /capa/close?" — answered by checking permission name. |
| Quarterly access review | Departed employee’s access not revoked — SOC-2 CC6.3 stage-2 finding. |
| PIN per actor (HMAC stored) | Shared PINs — 21 CFR Part 11.200(a)(2) violation; Warning Letter. |
| Multi-tenant organization_id filter | Cross-tenant data leak — SOC-2 CC6.7 stage-2 finding; trust-destroying. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| Per-endpoint permission | FDA Part 11.10(g) authority-check evidence |
| Provisioning/deprovisioning | SOC-2 CC6.2 evidence; ISO 27001 A.5.16 evidence |
| Access review | SOC-2 CC6.3 evidence; ISO 27001 A.5.18 evidence |
| Tenant isolation | SOC-2 CC6.7 + CC8.1 evidence |
Why these regulations are non-negotiable. 21 CFR Part 11.10(d) is enforced at every Part 11 inspection — a system without operation-specific authority checks is a Warning Letter risk. SOC-2 CC6 is one of the 9 mandatory criteria in every SOC-2 Type-2 attestation; failure on CC6 fails the attestation. ISO 27001:2022 Annex A 5.15 is one of the four most-commonly-cited Annex A findings at stage-2 audit.
Who uses this module and when. Information Security Officer runs quarterly access reviews. HR + IT drive provisioning/deprovisioning. QMS Manager holds the role-mapping policy. SOC-2 auditor + ISO 27001 auditor sample access logs at every attestation cycle.
2.7 Notification + Todo
What this module is, in one paragraph. Regulatory clocks and approval queues do not announce themselves — if the user is not notified, the deadline is missed. MDR Art. 87 imposes a 15-day clock for serious-incident reporting (2 days for serious public-health threats, 10 days for death/serious deterioration); FDA 21 CFR 803.50 imposes 30-day MDR clocks; ISO 13485:2016 §5.5.3 (Internal Communication) requires that the QMS communicate the effectiveness of the QMS internally. Wrapper’s Notification + Todo layer is a two-pronged user nudge: an in-app notification bell (real-time) and a personal /todo list (aggregated). The expiry-notification scheduler walks per-record schedules (configurable days-from-due) and dispatches both channels daily, deduplicated so the same user is not pinged twice for the same trigger.
Regulatory pathway summary. Supports MDR Arts. 87–92 reporting-clock visibility; FDA 21 CFR 803.50/.53/.56 reporting clocks; ISO 13485:2016 §5.5.3 (internal communication); ISO 13485 §8.5.2 + FDA 21 CFR 820.100 (CAPA-cycle reminders); ISO 13485 §6.2 (training reminders).
| Purpose | Make regulatory deadlines and queues visible per user without manual check-in. |
| What the user sees | A notification bell (real-time + history) and a /todo page aggregating assignments across CAPA, Training, Approvals, Vigilance clocks, AI Findings. |
| Regulatory frameworks | MDR Arts. 87–92; FDA 21 CFR 803.50/.53/.56; ISO 13485 §5.5.3, §6.2, §8.5.2. |
| Solves the regulatory problem of | MIR clock missed because owner was not notified — MDR Art. 93 competent-authority enforcement. |
| Pathway milestone unlocked | Vigilance reporting-clock compliance; CAPA cycle visibility; training-expiry alerting. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Vigilance-clock notification | MDR Art. 87(3)+(4); 21 CFR 803.50/.53 | Serious-incident logged | All classes |
| CAPA stage reminders | ISO 13485 §8.5.2; FDA 21 CFR 820.100 | CAPA stage SLA approaching | All classes |
| Approval-queue reminders | FDA 21 CFR 820.40(b); EU GMP Annex 11 §14 | Approval pending | All classes |
| Training-expiry reminders | ISO 13485 §6.2; 21 CFR 820.25 | Training expires within configurable window | All classes |
| Periodic-review reminders | ISO 13485 §4.2.3(b) | Document approaching review-due date | All classes |
| Internal communication | ISO 13485 §5.5.3 | QMS effectiveness updates | All classes |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Vigilance clock | 15-day MIR missed — MDR Art. 93 CA enforcement; potential CE certificate suspension. |
| CAPA SLA | CAPA dwelling at investigation stage for months — FDA Form-483 observation. |
| Approval reminder | Document approval stuck — staff using prior revision. |
| Training expiry | Trainer-record expired without re-cert — ISO 13485 §6.2 finding at audit. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| All-channel notification | MDR Art. 87 reporting-clock compliance; FDA MDR clock compliance |
| Aggregated /todo | ISO 13485 §5.5.3 internal-communication evidence; reduces "I didn’t know" auditor responses |
Why these regulations are non-negotiable. Missing a 15-day MIR window under MDR Art. 87(3) is the single most-cited competent-authority non-conformance in EU device vigilance; persistent breach can suspend a CE certificate under MDR Art. 95. FDA Form-483 observations on CAPA dwelling at investigation stage routinely cite §820.100 (Corrective and Preventive Action) — late closure is a top-three FDA inspection finding.
Who uses this module and when. Every user, continuously. The PRRC monitors vigilance-clock notifications hourly during open MIR windows. The QMS Manager uses /todo aggregation weekly to see workload and SLA risk.
2.8 Scheduled Job Framework
What this module is, in one paragraph. Periodic regulatory work — checking certificate expiry, promoting documents to Effective on schedule, fanning out re-training assignments, scanning for trend events, advancing periodic processes, recomputing the Regulatory Health Score — must run unattended and reliably. IEC 62304 §6.2 (Software Maintenance Process) requires that a defined maintenance process exist for software-of-medical-device, including scheduled activities. ISO 13485:2016 §7.5.6 (Validation of Processes) requires that any process whose output cannot be fully verified by subsequent inspection be validated — periodic-job processes need that validation evidence. MDR Art. 83 (PMS Plan) requires ongoing post-market activities including periodic data collection and analysis — operationally enabled by scheduled jobs. Wrapper runs 12 scheduled jobs daily / weekly / hourly with consistent characteristics: each job iterates active organisations, per-organisation failures are logged and never abort the loop, every job action writes to the appropriate Log so the work is auditable.
Regulatory pathway summary. Operationalises IEC 62304 §6.2 (software maintenance); ISO 13485 §7.5.6 (process validation); MDR Art. 83 (PMS plan execution); ISO 13485 §8.2.4 (monitoring and measurement of processes); FDA 21 CFR 820.70(g) (production and process controls — automation).
| Purpose | Unattended periodic regulatory work. |
| What the user sees | Scheduler dashboard showing last-run / next-run / status per job; per-org per-job activity log. |
| Regulatory frameworks | IEC 62304 §6.2; ISO 13485 §7.5.6, §8.2.4; MDR Art. 83; FDA 21 CFR 820.70(g). |
| Solves the regulatory problem of | Manual periodic work missed under load — the SME’s structural failure mode. |
| Pathway milestone unlocked | Operational hygiene for every downstream module; process-validation evidence for §7.5.6. |
Regulatory Specificity
Table 1 — Which regulation applies in which case
| Feature | Citation | Applies when… | Class |
|---|---|---|---|
| Process validation | ISO 13485 §7.5.6; 21 CFR 820.75 | Process output not fully verified by inspection | All classes |
| Software maintenance | IEC 62304 §6.2 | All software-of-medical-device | SaMD scope |
| PMS plan execution | MDR Art. 83 | Continuous periodic activities post-market | All classes |
| Monitoring of processes | ISO 13485 §8.2.4 | QMS process measurement | All classes |
| Per-org isolation | SOC-2 CC6.7 | Multi-tenant scheduled work | SaaS scope |
Table 2 — Regulatory problem solved
| Feature | Concrete pain point |
|---|---|
| Per-org failure isolation | One tenant’s failure blocking another’s job — multi-tenant integrity violation. |
| Audit-logged actions | "Did the cert-expiry check run last Tuesday?" — answered by job log. |
| Process validation evidence | Auditor asks for §7.5.6 evidence for automated promotions — produced by job-validation records. |
Table 3 — Conformity-assessment pathway impact
| Feature | Pathway / milestone unlocked |
|---|---|
| 12-job operational set | MDR Art. 83 PMS-plan execution evidence; ISO 13485 §8.2.4 evidence |
| Per-job validation | ISO 13485 §7.5.6 process-validation evidence; IEC 62304 §6.2 maintenance-process evidence |
Why these regulations are non-negotiable. ISO 13485 §7.5.6 is one of the most-cited stage-2 audit findings — automated processes without validation evidence fail the clause. IEC 62304 §6.2 is mandatory for any software-of-medical-device classified as SaMD — without a documented maintenance process, the device cannot be CE-marked.
Who uses this module and when. DevOps / SRE monitor execution daily. QMS Manager consumes the per-org per-job log monthly for process-monitoring evidence. NB auditor samples scheduler runs during NB software audit.
