Skill Guide

Quality management systems under ISO 13485 adapted for software and AI

The systematic framework that applies ISO 13485's medical device quality management requirements to the unique lifecycle, verification, and risk management challenges of software and AI-based medical device software (SaMD).

This skill ensures regulatory compliance and market access for AI-driven medical devices, directly reducing the risk of costly recalls, failed audits, and patient harm. It transforms quality from a cost center into a strategic asset that accelerates product approvals and builds stakeholder trust.

1 Careers

1 Categories

9.1 Avg Demand

15% Avg AI Risk

How to Learn Quality management systems under ISO 13485 adapted for software and AI

Master the core structure of ISO 13485 (clauses 4-8), focusing on Document Control (4.2.4) and Management Responsibility (5). Understand the fundamental regulatory distinction between SaMD (Software as a Medical Device) and traditional hardware devices. Learn the basics of IEC 62304 software lifecycle processes.

Apply requirements to real development artifacts. Practice creating a Software Development Plan (SDP) and a Software Requirements Specification (SRS) that explicitly trace to QMS clauses. Implement a Risk Management File (per ISO 14971) for an AI algorithm, focusing on hazard analysis of false positives/negatives. Avoid the common mistake of treating the QMS as a separate 'paperwork' exercise from actual engineering.

Strategically align the QMS with business objectives. Architect the quality system to integrate with agile/DevOps workflows without creating friction. Lead the response to a regulatory audit (e.g., FDA or Notified Body). Mentor teams on predictive risk analysis for complex AI systems, including data drift and model re-validation procedures. Master the interplay between ISO 13485, IEC 62304, and emerging standards like IEC 81001-5-1 for cybersecurity in health software.

Practice Projects

Beginner

Project

Draft a Design History File (DHF) for a Simple AI Diagnostic Feature

Scenario

You are a QA engineer on a team developing an AI tool to detect skin lesions in smartphone images. Your manager asks you to start the DHF for this feature.

How to Execute

1. Identify the relevant ISO 13485 clauses (7.3 Design and Development). 2. Create a document index for the DHF, listing mandatory outputs like Design Input (user needs), Design Output (software specifications), and Design Review records. 3. Draft a simple Design Input document that translates a clinical need ('detect melanoma with 95% sensitivity') into a software requirement. 4. Mock up a traceability matrix linking this requirement to a test case.

Intermediate

Case Study/Exercise

Conduct a CAPA for a Post-Market AI Performance Drift

Scenario

Six months after launch, monitoring shows your AI algorithm's sensitivity for detecting diabetic retinopathy has degraded by 10% in real-world use, likely due to population data drift. A complaint has been filed.

How to Execute

1. Initiate a Corrective and Preventive Action (CAPA) record as per clause 8.5.2. 2. Perform root cause analysis (e.g., using a fishbone diagram) linking the performance drop to the training data pipeline. 3. Define corrective actions: retrain the model on new, representative data and implement a new performance monitoring metric in the production dashboard. 4. Document the verification and validation activities to prove the fix is effective and does not introduce new risks. Update the Risk Management File accordingly.

Advanced

Case Study/Exercise

Prepare for and Navigate a Regulatory Pre-Market Audit (e.g., FDA QSR)

Scenario

Your company is preparing a 510(k) submission for an AI-powered clinical decision support tool. You are the quality lead responsible for ensuring the QMS is inspection-ready for a potential FDA audit of your software development and risk management processes.

How to Execute

1. Conduct a mock audit using the FDA's Quality System Regulation (21 CFR Part 820) and the ISO 13485:2016 standard as checklists. 2. Trace an end-to-end audit path for a single high-risk requirement, from market need to post-market surveillance, ensuring all records (SRS, architecture, V&V reports, risk file, CAPA history) are complete and consistent. 3. Train key personnel (software leads, data scientists) on how to answer auditor questions about their processes without speculation. 4. Prepare a concise management review presentation (clause 5.6) demonstrating proactive quality oversight and resource commitment.

Tools & Frameworks

Regulatory & Standards

ISO 13485:2016IEC 62304:2006+AMD1:2015ISO 14971:2019IEC 81001-5-1:2021

The core regulatory and normative stack for medical device software. ISO 13485 provides the QMS framework, IEC 62304 details software lifecycle processes, ISO 14971 governs risk management, and IEC 81001-5-1 addresses cybersecurity. Use them as binding requirements, not guidelines.

Quality Management Software & Platforms

Greenlight GuruMasterControlJama ConnectPolarion REQUIREMENTS

Purpose-built QMS platforms that manage controlled documents, design controls, traceability, and CAPA workflows. They are critical for maintaining a 'single source of truth' and demonstrating compliance during audits. Integrate them with development tools like Jira and GitHub where possible.

Risk Management & Analysis Tools

Fault Tree Analysis (FTA) SoftwareFMEA (Failure Mode and Effects Analysis) TemplatesRisk Management File (RMF) structured templates

Systematic tools for hazard identification, risk estimation, and risk control. FMEA is used proactively during design, while FTA is used reactively to analyze known failure events. A well-structured RMF is the central, auditable output of ISO 14971 compliance.

Interview Questions

Answer Strategy

Demonstrate a process-oriented mindset. The answer should connect SDLC phases directly to regulatory clauses. Sample: 'I'd start by mapping our SDLC phases to the Design and Development controls in ISO 13485 clause 7.3. I would define a Software Development Plan per IEC 62304 that specifies our process for requirements analysis, architectural design, unit implementation, and integration testing. For AI specifically, I would add a dedicated process for data management, model training, and performance validation, with clear entry/exit criteria. All activities would be traced in our design history file using a requirements management tool.'

Answer Strategy

Tests crisis management and knowledge of CAPA. The response must be procedural, not ad-hoc. Sample: 'Immediately, I would initiate a field safety corrective action (FSCA) if patient risk is imminent, in parallel with starting a formal CAPA per ISO 13485 clause 8.5.2. I would assemble a cross-functional team (engineering, clinical, regulatory) to perform a root cause analysis. The long-term fix would involve not just patching the model, but updating our training data validation protocols and implementing more robust post-market performance monitoring. The CAPA would be verified for effectiveness by showing the new controls prevent recurrence.'