@neobiotechlabs/neobiotech-dev-agent 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (155) hide show
  1. package/.claude-plugin/marketplace.json +22 -0
  2. package/.claude-plugin/plugin.json +58 -0
  3. package/.mcp.json +14 -0
  4. package/README.md +442 -0
  5. package/dist/__tests__/adf.test.d.ts +1 -0
  6. package/dist/__tests__/adf.test.js +68 -0
  7. package/dist/__tests__/adf.test.js.map +1 -0
  8. package/dist/__tests__/annex-ii-template.test.d.ts +1 -0
  9. package/dist/__tests__/annex-ii-template.test.js +39 -0
  10. package/dist/__tests__/annex-ii-template.test.js.map +1 -0
  11. package/dist/__tests__/doc-render.test.d.ts +1 -0
  12. package/dist/__tests__/doc-render.test.js +93 -0
  13. package/dist/__tests__/doc-render.test.js.map +1 -0
  14. package/dist/__tests__/help.test.d.ts +1 -0
  15. package/dist/__tests__/help.test.js +31 -0
  16. package/dist/__tests__/help.test.js.map +1 -0
  17. package/dist/__tests__/jira-fields.test.d.ts +1 -0
  18. package/dist/__tests__/jira-fields.test.js +81 -0
  19. package/dist/__tests__/jira-fields.test.js.map +1 -0
  20. package/dist/__tests__/plugin-manifest.test.d.ts +1 -0
  21. package/dist/__tests__/plugin-manifest.test.js +91 -0
  22. package/dist/__tests__/plugin-manifest.test.js.map +1 -0
  23. package/dist/__tests__/setup.test.d.ts +1 -0
  24. package/dist/__tests__/setup.test.js +7 -0
  25. package/dist/__tests__/setup.test.js.map +1 -0
  26. package/dist/__tests__/sync-version.test.d.ts +1 -0
  27. package/dist/__tests__/sync-version.test.js +37 -0
  28. package/dist/__tests__/sync-version.test.js.map +1 -0
  29. package/dist/clients/risk-client.d.ts +17 -0
  30. package/dist/clients/risk-client.js +54 -0
  31. package/dist/clients/risk-client.js.map +1 -0
  32. package/dist/clients/xray-client.d.ts +34 -0
  33. package/dist/clients/xray-client.js +127 -0
  34. package/dist/clients/xray-client.js.map +1 -0
  35. package/dist/config/project-config.d.ts +14 -0
  36. package/dist/config/project-config.js +45 -0
  37. package/dist/config/project-config.js.map +1 -0
  38. package/dist/confluence-client.d.ts +16 -0
  39. package/dist/confluence-client.js +97 -0
  40. package/dist/confluence-client.js.map +1 -0
  41. package/dist/index.d.ts +2 -0
  42. package/dist/index.js +60 -0
  43. package/dist/index.js.map +1 -0
  44. package/dist/jira-client.d.ts +35 -0
  45. package/dist/jira-client.js +119 -0
  46. package/dist/jira-client.js.map +1 -0
  47. package/dist/tools/annex-ii-template.d.ts +30 -0
  48. package/dist/tools/annex-ii-template.js +129 -0
  49. package/dist/tools/annex-ii-template.js.map +1 -0
  50. package/dist/tools/confluence.d.ts +2 -0
  51. package/dist/tools/confluence.js +54 -0
  52. package/dist/tools/confluence.js.map +1 -0
  53. package/dist/tools/cvss.d.ts +2 -0
  54. package/dist/tools/cvss.js +59 -0
  55. package/dist/tools/cvss.js.map +1 -0
  56. package/dist/tools/doc-render.d.ts +2 -0
  57. package/dist/tools/doc-render.js +96 -0
  58. package/dist/tools/doc-render.js.map +1 -0
  59. package/dist/tools/doc-validation.d.ts +2 -0
  60. package/dist/tools/doc-validation.js +221 -0
  61. package/dist/tools/doc-validation.js.map +1 -0
  62. package/dist/tools/help-data.d.ts +7 -0
  63. package/dist/tools/help-data.js +144 -0
  64. package/dist/tools/help-data.js.map +1 -0
  65. package/dist/tools/help.d.ts +2 -0
  66. package/dist/tools/help.js +39 -0
  67. package/dist/tools/help.js.map +1 -0
  68. package/dist/tools/iec.d.ts +2 -0
  69. package/dist/tools/iec.js +203 -0
  70. package/dist/tools/iec.js.map +1 -0
  71. package/dist/tools/init.d.ts +2 -0
  72. package/dist/tools/init.js +38 -0
  73. package/dist/tools/init.js.map +1 -0
  74. package/dist/tools/jira-crud.d.ts +2 -0
  75. package/dist/tools/jira-crud.js +142 -0
  76. package/dist/tools/jira-crud.js.map +1 -0
  77. package/dist/tools/risk.d.ts +2 -0
  78. package/dist/tools/risk.js +172 -0
  79. package/dist/tools/risk.js.map +1 -0
  80. package/dist/tools/traceability.d.ts +2 -0
  81. package/dist/tools/traceability.js +85 -0
  82. package/dist/tools/traceability.js.map +1 -0
  83. package/dist/tools/types.d.ts +13 -0
  84. package/dist/tools/types.js +2 -0
  85. package/dist/tools/types.js.map +1 -0
  86. package/dist/tools/usability.d.ts +2 -0
  87. package/dist/tools/usability.js +149 -0
  88. package/dist/tools/usability.js.map +1 -0
  89. package/dist/tools/xray.d.ts +2 -0
  90. package/dist/tools/xray.js +35 -0
  91. package/dist/tools/xray.js.map +1 -0
  92. package/dist/utils/adf.d.ts +27 -0
  93. package/dist/utils/adf.js +104 -0
  94. package/dist/utils/adf.js.map +1 -0
  95. package/dist/utils/cvss.d.ts +15 -0
  96. package/dist/utils/cvss.js +86 -0
  97. package/dist/utils/cvss.js.map +1 -0
  98. package/dist/utils/doc-render.d.ts +28 -0
  99. package/dist/utils/doc-render.js +50 -0
  100. package/dist/utils/doc-render.js.map +1 -0
  101. package/dist/utils/jira-fields.d.ts +38 -0
  102. package/dist/utils/jira-fields.js +53 -0
  103. package/dist/utils/jira-fields.js.map +1 -0
  104. package/dist/utils/sync-version.d.ts +2 -0
  105. package/dist/utils/sync-version.js +20 -0
  106. package/dist/utils/sync-version.js.map +1 -0
  107. package/package.json +49 -0
  108. package/skills/doc-render/SKILL.md +79 -0
  109. package/vendor/dev-docs-templates/templates/dev_docs/plan_template.md +104 -0
  110. package/vendor/dev-docs-templates/templates/dev_docs/prd_template.md +110 -0
  111. package/vendor/dev-docs-templates/templates/dev_docs/spec_template.md +81 -0
  112. package/vendor/dev-docs-templates/templates/dev_docs/tasks_template.md +122 -0
  113. package/vendor/dev-docs-templates/templates/mdr_docs/CA/checklist-clinical-evaluation.md +81 -0
  114. package/vendor/dev-docs-templates/templates/mdr_docs/CA/checklist-gspr-mdr.md +403 -0
  115. package/vendor/dev-docs-templates/templates/mdr_docs/CA/clinical-evaluation-report.md +492 -0
  116. package/vendor/dev-docs-templates/templates/mdr_docs/CA/instructions-for-use.md +132 -0
  117. package/vendor/dev-docs-templates/templates/mdr_docs/CA/literature-evaluation-table.md +15 -0
  118. package/vendor/dev-docs-templates/templates/mdr_docs/CA/mdr-declaration-of-conformity.md +75 -0
  119. package/vendor/dev-docs-templates/templates/mdr_docs/CA/post-market-clinical-follow-up-plan.md +162 -0
  120. package/vendor/dev-docs-templates/templates/mdr_docs/CA/post-market-surveillance-plan.md +175 -0
  121. package/vendor/dev-docs-templates/templates/mdr_docs/CA/risk-management-cybersecurity-checklist.md +67 -0
  122. package/vendor/dev-docs-templates/templates/mdr_docs/CA/risk-management-report.md +111 -0
  123. package/vendor/dev-docs-templates/templates/mdr_docs/CA/usability-evaluation-report.md +70 -0
  124. package/vendor/dev-docs-templates/templates/mdr_docs/EA/clinical-evaluation-plan.md +154 -0
  125. package/vendor/dev-docs-templates/templates/mdr_docs/EA/list-of-hazard-related-use-scenarios.md +34 -0
  126. package/vendor/dev-docs-templates/templates/mdr_docs/EA/risk-table-fmea.md +155 -0
  127. package/vendor/dev-docs-templates/templates/mdr_docs/EA/software-architecture-description.md +307 -0
  128. package/vendor/dev-docs-templates/templates/mdr_docs/EA/software-requirements-list.md +156 -0
  129. package/vendor/dev-docs-templates/templates/mdr_docs/EA/soup-list.md +82 -0
  130. package/vendor/dev-docs-templates/templates/mdr_docs/EA/usability-evaluation-plan.md +103 -0
  131. package/vendor/dev-docs-templates/templates/mdr_docs/ER/global/bug-fixes-documentation-list.md +35 -0
  132. package/vendor/dev-docs-templates/templates/mdr_docs/ER/global/change-evaluation-list.md +100 -0
  133. package/vendor/dev-docs-templates/templates/mdr_docs/ER/global/list-of-known-anomalies.md +29 -0
  134. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/algorithm-validation-report.md +170 -0
  135. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/checklist-software-release.md +52 -0
  136. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/checklist-software-requirements-review.md +50 -0
  137. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/software-architecture-checklist.md +41 -0
  138. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/software-detailed-design.md +321 -0
  139. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/software-system-test-plan.md +155 -0
  140. package/vendor/dev-docs-templates/templates/mdr_docs/ER/sprint/usability-evaluation-protocol.md +63 -0
  141. package/vendor/dev-docs-templates/templates/mdr_docs/PA/intended-use.md +116 -0
  142. package/vendor/dev-docs-templates/templates/mdr_docs/PA/mdr-classification-document.md +114 -0
  143. package/vendor/dev-docs-templates/templates/mdr_docs/PA/risk-management-plan.md +198 -0
  144. package/vendor/dev-docs-templates/templates/mdr_docs/PA/software-development-maintenance-plan.md +225 -0
  145. package/vendor/dev-docs-templates/templates/mdr_docs/PA/system-requirements-spec.md +182 -0
  146. package/vendor/dev-docs-templates/templates/mdr_docs/global/information_security/information-security-controls.md +966 -0
  147. package/vendor/dev-docs-templates/templates/mdr_docs/global/information_security/information-security-policy-and-scope.md +99 -0
  148. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/quality-manual-policy-objectives.md +187 -0
  149. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-capa.md +112 -0
  150. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-change-management.md +128 -0
  151. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-clinical-evaluation.md +102 -0
  152. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-feedback-management.md +140 -0
  153. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-integrated-software-development.md +361 -0
  154. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-post-market-surveillance.md +159 -0
  155. package/vendor/dev-docs-templates/templates/mdr_docs/global/qms/sop-software-problem-resolution.md +99 -0
@@ -0,0 +1,99 @@
1
+ # Information Security Policy And Scope
2
+
3
+ | ISO 27001:2023 Section | Document Section |
4
+ |-------------------------------------------------------------------------|------------------|
5
+ | 4.3 Determining the scope of the information security management system | 1. |
6
+ | 4.4 Information security management system | (All) |
7
+ | 5.1 Leadership and commitment | 8. |
8
+ | 5.2 Policy | 2. |
9
+ | 5.3 Organizational roles, responsibilities and authorities | 8. |
10
+
11
+ ## Summary
12
+
13
+ The Information Security Policy describes the scope of the Information Security Management System (ISMS), its
14
+ documented procedures and a description of their interactions.
15
+
16
+ ## 1. Scope
17
+
18
+ The policy described in this document outlines the framework to manage information security in *\<your company
19
+ name\>*.
20
+
21
+ This policy applies to all employees, contractors, and third-party vendors of [Organization Name] who have
22
+ access to electronic and physical information systems and data.
23
+
24
+ ## 2. Policy Statement
25
+
26
+ *\<your company name\>* commits to maintaining the confidentiality, integrity, and availability of all its
27
+ information assets. This is achieved through:
28
+
29
+ * Implementing a comprehensive Information Security Management System (ISMS) compliant with ISO/IEC 27001:2023
30
+ standards.
31
+ * Regularly assessing the information security risks and implementing the appropriate measures to mitigate
32
+ identified risks.
33
+ * Ensuring that information security is an integral part of all IT and business processes.
34
+ * Providing ongoing training and support to all staff to ensure they understand their roles and
35
+ responsibilities in safeguarding sensitive information.
36
+ * Regularly reviewing and updating the ISMS to address new security challenges and business changes.
37
+
38
+ ## 3. Information Security Principles
39
+
40
+ * Confidentiality: Ensuring that information is accessible only to those authorized to have access.
41
+ * Integrity: Safeguarding the accuracy and completeness of information and processing methods.
42
+ * Availability: Ensuring that authorized users have access to information and associated assets when required.
43
+
44
+ ## 4. Risk Management
45
+
46
+ The organization will regularly carry out risk assessments to identify, evaluate, and address risks associated
47
+ with information security.
48
+
49
+ ## 5. Incident Management
50
+
51
+ A structured approach will be followed to handle security breaches or incidents, which includes incident
52
+ reporting, investigation, and mitigation strategies to prevent future occurrences.
53
+
54
+ ## 6. Compliance
55
+
56
+ Compliance with this policy will be monitored and reviewed as part of the ongoing performance evaluation
57
+ process. Violations of this policy will result in disciplinary action, which may include termination and legal
58
+ action, depending on the severity of the breach.
59
+
60
+ ## 7. Policy Review
61
+
62
+ This policy will be reviewed annually or in response to significant organizational or technological changes to
63
+ ensure its continuing suitability, accuracy, and effectiveness.
64
+
65
+ ## 8. Organizational Roles, Responsibilities and Authorities
66
+
67
+ > Describe the roles of the people in your company. Typically this is done by drawing an organigram (you could
68
+ > use draw.io for that). Or, you just use a table like below.
69
+ >
70
+ > Minimum requirement information: required qualification and description of tasks related to QMS process
71
+ > involvement If applicable, add: report / authority, access rights, etc.
72
+
73
+ | Role | People |
74
+ |-----------------|---------------------------|
75
+ | CEO | Steve Jobs |
76
+ | CTO | Steve Wozniak |
77
+ | ISO | Oliver Eidel |
78
+
79
+ All C-level roles (CEO, CTO, CMO) are referred to as the Management. Management is generally responsible to
80
+ endorse and support the Information Security Policy by providing the necessary resources and authority to
81
+ implement it.
82
+
83
+ The Information Security Officer (ISO) is responsible for maintaining the ISMS and ensuring the policy is
84
+ implemented, monitored, reviewed, and updated.
85
+
86
+ All Employees are required to adhere to this policy and report any security breaches or incidents to the
87
+ designated authority.
88
+
89
+ Required qualification for this role:
90
+
91
+ * Fluent in German and English language
92
+ * Training in the field of information security management
93
+
94
+ ---
95
+
96
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
97
+ license](https://openregulatory.com/template-license).
98
+
99
+ Please don't remove this notice even if you've modified contents of this template.
@@ -0,0 +1,187 @@
1
+ # Quality Manual, Policy and Objectives
2
+
3
+ | ISO 13485:2016 Section | Document Section |
4
+ |------------------------|------------------|
5
+ | 4.1.1 | 1. |
6
+ | 4.1.2 | 4. |
7
+ | 4.2.1 b) | (All) |
8
+ | 4.2.2 | (All) |
9
+ | 5.3 | 2. |
10
+ | 5.4.1 | 2. |
11
+
12
+ ## Summary
13
+
14
+ The Quality Manual describes the scope of the Quality Management System, its documented procedures and a
15
+ description of their interactions.
16
+
17
+ ## 1. Scope
18
+
19
+ The QMS described in this Quality Manual applies to all products of *\<your company name\>*.
20
+
21
+ ### Role of Company
22
+
23
+ > Other roles besides manufacturer are: Authorized representative, distributor.
24
+
25
+ *\<your company name\>* is a manufacturer of Medical Devices.
26
+
27
+ ### Applicable Standards
28
+
29
+ The following table only gives an overview of the most relevant regulation and standards. For a comprehensive overview, see the list of applicable standards (reference here).
30
+
31
+ | Standard / Regulation / Law | Why Applicable? |
32
+ |-----------------------------|-----------------------------------------------------------|
33
+ | EU Regulation 2017/745 | Regulation for medical devices for human use |
34
+ | EU Regulation 2021/2226 | Regulation for electronic instructions for use |
35
+ | EN ISO 13485:2016 | QMS required by essential requirements of MDD/MDR |
36
+ | EN ISO 14971:2019 | Risk management for medical devices |
37
+ | IEC 62304:2006 | Software development for medical devices |
38
+ | IEC 62366-1:2015 | Usability evaluation for medical devices |
39
+
40
+ ### Exclusions
41
+
42
+ The following sections of ISO 13485:2016 will be excluded due to the product being stand-alone software:
43
+
44
+ * 6.4.2 Contamination control
45
+ * 7.5.2 Cleanliness of product
46
+ * 7.5.5 Particular requirements for sterile medical devices
47
+ * 7.5.7 Particular requirements for validation of processes for sterilization and sterile barrier systems
48
+ * 7.5.9.2 Particular requirements for implantable medical devices
49
+ * 7.5.11 Preservation of product
50
+
51
+ ## 2. Quality Policy & Objectives
52
+
53
+ ### Quality Policy
54
+
55
+ > Describe what your company is about, specifically, its mission and things which are important for it. Maybe
56
+ > you're developing software for patients with a certain disease and your goal is to improve their lives.
57
+ >
58
+ > In addition, the policy should include a commitment to meet legal requirements, keep the QMS up to date and
59
+ > define quality objectives to work towards.
60
+
61
+ ### Quality Objectives
62
+
63
+ > Whatever policy you outlined above, now you need to make it measurable by defining objectives which can be
64
+ > tracked. Those objectives should not (only) refer to the quality of your devices but the quality of your QMS
65
+ > and the overall work of your organization. Typical examples are: hiring excellence in staff, providing,
66
+ > best-of-class device performance, high standards of customer satisfaction, etc.
67
+
68
+ ### Key Performance Indicators (KPIs)
69
+
70
+ > Auditors might ask you: how do you keep track of a quality objective, to see if it was achieved or not? The
71
+ > answer is: Key Performance Indicators. As part of your management review, you have to review all QMS
72
+ > processes plus your quality policy and objectives at least annually. Now, you can meet both requirements at
73
+ > the same time by defining KPIs for your QMS processes. You can then argue that by achieving your KPIs, you
74
+ > make sure that your processes run well, which also meets your quality objectives.
75
+
76
+ > These are your action items:
77
+ > 1. Make sure to define at least one KPI for each QMS process.
78
+ > 2. Make sure each quality objectives translates into at minimum one process KPI. Where there's no
79
+ > corresponding process for a quality objective, you define additional KPIs that are not process-related.
80
+ > 3. You can document those KPIs either in each SOP or in a separate overview sheet. For example, you can use
81
+ > the template for a management review report for that purpose.
82
+ >
83
+ > Also see regulatory requirements: ISO 13485, para. 4.1.3.a (process KPIs) and para. 5.6.2 (management review
84
+ > input).
85
+ >
86
+ > In this section here, describe where you define your KPIs and how you keep track of them. For example, say
87
+ > that you define KPIs in every single SOP or reference to a separate, central overview sheet. Ideally, KPIs
88
+ > are tracked by each process owner independently.
89
+
90
+ ## 3. Roles
91
+
92
+ > Describe the roles of the people in your company. Typically this is done by drawing an organigram (you could
93
+ > use draw.io for that). Or, you just use a table like below.
94
+ >
95
+ > Minimum requirement information: required qualification and description of tasks related to QMS process
96
+ > involvement If applicable, add: report / authority, access rights, etc.
97
+
98
+ | Role | People |
99
+ |-----------------|---------------------------|
100
+ | CEO | Steve Jobs |
101
+ | CTO | Steve Wozniak |
102
+ | Product Manager | Ada Lovelace |
103
+ | QMO | Oliver Eidel |
104
+
105
+ All C-level roles (CEO, CTO, CMO) are referred to as the Management. Management is generally responsible to
106
+ define responsibilities and authorities, to define and communicate Quality Policy and Goals and to ensure that
107
+ the whole organization is oriented towards them.
108
+
109
+ > See ISO 13485, para. 5.1, para. 5.5.1
110
+
111
+ The Quality Management Officer (QMO) is responsible for:
112
+
113
+ * ensuring that processes needed for the company’s quality management system are documented
114
+ * reporting to top management on the effectiveness of the quality management system and any need for
115
+ improvement
116
+ * ensuring the promotion of awareness of applicable regulatory requirements and QMS requirements throughout the
117
+ organization.
118
+
119
+ Required qualification for this role:
120
+
121
+ * Fluent in German and English language
122
+ * At minimum one year of professional experience in the fields of quality management and regulatory affairs
123
+
124
+ > See ISO 13485, para. 5.1, para. 5.5.2
125
+
126
+ Person Responsible for Regulatory Compliance (PRRC) Responsibilities of the PRRC are in accordance with
127
+ Art. 15 MDR as follows:
128
+
129
+ * Ensure (review / release) the conformity of the devices is appropriately checked in accordance with the QMS
130
+ before a device is released (also see Art. 10 Para. 9 MDR)
131
+ * Ensure (review / release) that the technical documentation and the EU declaration of conformity are drawn up
132
+ and kept up-to-date for all medical devices (also see Art. 10 Para. 4 and Art. 6 MDR)
133
+ * Ensure (review / release) that obligations for post-market surveillance are complied with in accordance with
134
+ Art. 10 Para. 10 MDR
135
+ * Ensure (review / release) that the reporting obligations of Articles 87 to 91 MDR are fulfilled (FSCA /
136
+ incidents, also see Art. 10 Para. 13 MDR)
137
+ * Ensure that, in the case of investigational devices, the statement referred to in Section 4.1 of Chapter II
138
+ of Annex XV MDR is issued.
139
+
140
+ The PRRC shall not be subjected to Management instructions while carrying out his/her responsibilities
141
+ specified above. His/her tasks may be delegated to other roles as long as it is ensured that final
142
+ responsibility stays with the PRRC. She or he has the power and authority to represent the company in the
143
+ scope of his/her responsibilities, e.g. in communicating with state authorities.
144
+
145
+ Required qualification for this role:
146
+
147
+ * Fluent in English language
148
+ * Knowledge of the role and responsibilities of a ‘Person Responsible for Regulatory Compliance’ according to
149
+ Art. 15 MDR
150
+ * Higher education degree in law, medicine, pharmacology or engineering
151
+ * OR: four years of professional experience in the fields of quality management and regulatory affairs
152
+ * At minimum one year of professional experience in the fields of quality management and regulatory affairs
153
+
154
+ ## 4. Processes
155
+
156
+ > List all your SOPs here. This list is highly company-specific and might therefore be currently incomplete.
157
+ >
158
+ > **Important Note:**
159
+ >
160
+ > Also mention if one of these processes is outsourced to a third party (typical examples: internal auditing
161
+ > or clinical evaluation done by a regulatory consultant, software development done by an external agency; see
162
+ > ISO 13485:2016, para. 4.1.5 for more context).
163
+
164
+ | SOP | Process Category | Internal / Outsourced |
165
+ |--------------------------------------------|------------------|-----------------------|
166
+ | SOP Corrective and Preventive Action | Management | Internal |
167
+ | SOP Clinical Evaluation | Core | Outsourced (?) |
168
+ | SOP Product Certification and Registration | Core | Internal |
169
+ | SOP Change Management | Core | Internal |
170
+ | SOP Deployment | Core | Internal |
171
+ | SOP Document and Record Control | Support | Internal |
172
+ | SOP Integrated Software Development | Core | Internal |
173
+ | SOP Feedback Management | Core | Internal |
174
+ | SOP Internal Auditing | Management | Outsourced (?) |
175
+ | SOP Management Review | Management | Internal |
176
+ | SOP Post-Market Surveillance | Management | Internal |
177
+ | SOP Problem Resolution | Core | Internal |
178
+ | SOP Software Validation | Support | Internal |
179
+ | SOP Update of Regulations | Support | Internal |
180
+ | SOP Vigilance | Core | Internal |
181
+
182
+ ---
183
+
184
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
185
+ license](https://openregulatory.com/template-license).
186
+
187
+ Please don't remove this notice even if you've modified contents of this template.
@@ -0,0 +1,112 @@
1
+ # SOP Corrective and Preventive Action (CAPA)
2
+
3
+ | ISO 13485:2016 Section | Document Section |
4
+ |------------------------|------------------|
5
+ | 8.5.1 | (All) |
6
+ | 8.5.2 | (All) |
7
+ | 8.5.3 | (All) |
8
+
9
+ ## Summary
10
+
11
+ This SOP describes how CAPAs are implemented and tracked.
12
+
13
+ | | |
14
+ |--------------------------------|----------------------------------------------------------|
15
+ | **Process Owner** | *\<enter role of process owner\>* |
16
+ | **Key Performance Indicators** | *\<enter KPIs to be tracked for the Management Review\>* |
17
+
18
+ ## Process Steps
19
+
20
+ ### 1. Input for CAPA
21
+
22
+ Various events may lead to creation of CAPA. Examples include:
23
+
24
+ * Product or QMS non-conformities
25
+ * Customer complaints
26
+ * Internal bug reports, e.g. by developers
27
+ * Audit findings
28
+ * Post-market surveillance findings, including trends
29
+ * Management review findings, including trends
30
+
31
+ These inputs may be received from any person inside or outside the company. The QMO is responsible for
32
+ creating the CAPA and tracking its resolution.
33
+
34
+ CAPAs are tracked in the CAPA list.
35
+
36
+ | Participants |
37
+ |--------------|
38
+ | QMO |
39
+
40
+ | Input | Output |
41
+ |---------------------------------|--------------|
42
+ | Non-conformity, complaint, etc. | CAPA created |
43
+
44
+ ### 2. Decision on Next Steps and Immediate Action
45
+
46
+ If immediate action is necessary (e.g. field safety corrective action or a notification to authorities according to SOP Vigilance), the QMO consults the
47
+ Person Responsible for Regulatory Compliance. Immediate action is carried out without undue delay (see ISO 13485 para. 8.5.2).
48
+
49
+ In any case, the QMO discusses the next steps with the person closest to the issue, e.g. for software bugs, the
50
+ Head of Software Development.
51
+
52
+ | Participants |
53
+ |-----------------------------------------------------------------------------------------|
54
+ | QMO |
55
+ | Medical Device Safety Officer / Person Responsible for Regulatory Compliance (optional) |
56
+
57
+ | Input | Output |
58
+ |-------|---------------------------|
59
+ | CAPA | CAPA, updated with action |
60
+
61
+ ### 3. Root Cause Analysis
62
+
63
+ The QMO coordinates a root cause analysis with the person closest to the issue. The preferred method for this
64
+ is Five Whys. The result is added to the CAPA list.
65
+
66
+ | Participants |
67
+ |------------------------------------|
68
+ | QMO |
69
+ | Other people in company (optional) |
70
+
71
+ | Input | Output |
72
+ |-------|-------------------------------|
73
+ | CAPA | CAPA, updated with root cause |
74
+
75
+ ### 4. Implementation of Action
76
+
77
+ The QMO coordinates defining and implementing corrective and preventive action. Additionally, the QMO takes
78
+ into account adverse negative implications and verifies that the actions do not adversely affect the ability
79
+ to meet applicable regulatory requirements or the safety and performance of the medical device. Outcomes are
80
+ documented in the CAPA list.
81
+
82
+ | Participants |
83
+ |------------------------------------|
84
+ | QMO |
85
+ | Other people in company (optional) |
86
+
87
+ | Input | Output |
88
+ |-------|--------------------------------|
89
+ | CAPA | CAPA, updated with action plan |
90
+
91
+ ### 5. Verification and Check of Effectiveness
92
+
93
+ The QMO conducts the verification and effectiveness review of the implemented action. These are defined as
94
+ below. Thereafter, the QMO closes the CAPA.
95
+
96
+ * Verification: Documenting proof of implementation of actions taken.
97
+ * Effectiveness: Review of the effectiveness of actions taken.
98
+
99
+ | Participants |
100
+ |--------------|
101
+ | QMO |
102
+
103
+ | Input | Output |
104
+ |-------|--------------------------------------------------------------------|
105
+ | CAPA | CAPA, updated with verification, effectiveness review, closed date |
106
+
107
+ ---
108
+
109
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
110
+ license](https://openregulatory.com/template-license).
111
+
112
+ Please don't remove this notice even if you've modified contents of this template.
@@ -0,0 +1,128 @@
1
+ # SOP Change Management
2
+
3
+ | Classes | IEC 62304:2006 Section | Document Section |
4
+ |---------|------------------------|------------------|
5
+ | A, B, C | 6.2.3 | 2 |
6
+ | A, B, C | 6.2.4 | 2 |
7
+ | A, B, C | 6.2.5 | 2 |
8
+ | A, B, C | 6.3.1 | 3 |
9
+ | A, B, C | 6.3.2 | 3 |
10
+ | A, B, C | 7.4.1 | 2 |
11
+ | B, C | 7.4.2 | 2 |
12
+ | B, C | 7.4.3 | 2 |
13
+ | A, B, C | 8.2.1 | 2 |
14
+ | A, B, C | 8.2.2 | 3 |
15
+ | A, B, C | 8.2.3 | 3 |
16
+ | A, B, C | 8.2.4 | 3 |
17
+ | A, B, C | 9.4 | (All) |
18
+
19
+ ## Summary
20
+
21
+ This SOP describes how we evaluate and make changes to our software after it’s released.
22
+
23
+ | | |
24
+ |--------------------------------|----------------------------------------------------------|
25
+ | **Process Owner** | *\<enter role of process owner\>* |
26
+ | **Key Performance Indicators** | *\<enter KPIs to be tracked for the Management Review\>* |
27
+
28
+ ## General Considerations
29
+
30
+ ### Feedback Classification
31
+
32
+ Feedback is either classified as a **bug fix** or a **regular change request**:
33
+
34
+ * **Bug fixes:** By definition, bug fixes only constitute minor changes to the software code and complement
35
+ existing device features instead of introducing new ones or removing existing ones. Bug fixes must
36
+ not 1) Constitute significant changes to the medical device as defined by the criteria outlined in the
37
+ change assessment list and 2) Introduce new risks or failure modes
38
+ * **Regular Change Requests:** All other changes that are not classified as a bug fix.
39
+
40
+ ### Guidance Documents
41
+
42
+ The processing of changes is based on the following regulatory provisions and guidances:
43
+
44
+ * **Medical Device Regulation, Annex IX Chapter II Section 4.10:** *"Changes to the approved device shall
45
+ require approval from the notified body which issued the EU technical documentation assessment certificate
46
+ where such changes could affect the safety and performance of the device or the conditions prescribed for
47
+ use of the device. Where the manufacturer plans to introduce any of the above-mentioned changes it shall
48
+ inform the notified body which issued the EU technical documentation assessment certificate thereof. The
49
+ notified body shall assess the planned changes and decide whether the planned changes require a new
50
+ conformity assessment in accordance with Article 52 or whether they could be addressed by means of a
51
+ supplement to the EU technical documentation assessment certificate. In the latter case, the notified body
52
+ shall assess the changes, notify the manufacturer of its decision and, where the changes are approved,
53
+ provide it with a supplement to the EU technical documentation assessment certificate."*
54
+ * **Medical Device Coordination Group (MDCG) Document 2020-03:** “Guidance on significant changes regarding
55
+ the transitional provision under Article 120 of the MDR with regard to devices covered by certificates
56
+ according to MDD or AIMDD”
57
+
58
+ ## Process Steps
59
+
60
+ ### 1. Creation of Change Request
61
+
62
+ Changes proposals can originate from various sources, e.g.:
63
+
64
+ * Internal design ideas
65
+ * Market research
66
+ * Customer feedback (see process for feedback management)
67
+ * Post-Market Surveillance (see process for post-market surveillance)
68
+ * Changes to the QMS
69
+
70
+ They can originate from anywhere inside the company.
71
+
72
+ The Product Manager creates a change request ticket in the company’s project management software with a
73
+ description of the proposed change.
74
+
75
+ | Participants |
76
+ |----------------------------------------------|
77
+ | Anyone in the company with a change proposal |
78
+
79
+ | Input | Output |
80
+ |-----------------|----------------------------------------------------------|
81
+ | Change proposal | Documented change request (ID per product version) |
82
+
83
+ ### 2. Evaluation of Change
84
+
85
+ The Product Manager, together with a Regulatory Affairs Manager and the Head of Software Development, then
86
+ evaluates the proposed change. In a first step, it is assessed if the change constitutes a bug fix or not. In
87
+ case of a bug fix, the Product Manager directly proceeds with the evaluation as part of the bug fixes
88
+ documentation list (link here).
89
+
90
+ If the change does not constitute a bug fix but rather a regular change request, it is evaluated whether the
91
+ change:
92
+
93
+ 1. Is a significant change (refer to e.g. MDCG 2020-03 for guidance)
94
+ 2. Introduces any new risks and whether those are acceptable
95
+ 3. Impacts any existing risk control measures
96
+ 4. Is technically feasible
97
+ 5. Makes sense for the product strategy of the company
98
+
99
+ The evaluation is documented as part of the Change Evaluation List and results in a decision on whether the change is implemented and whether the Notified Body needs to be involved if the change is significant. These two decisions are documented in the change request ticket.
100
+
101
+ If required, a Notified Body shall be informed before the implementation of changes.
102
+ Multiple proposed changes can be batched and discussed in one session.
103
+
104
+ If the change request relates to the change of parts of the QMS, the change is assessed with the second part of the change evaluation list for "organizational changes".
105
+
106
+ | Participants |
107
+ |------------------------------|
108
+ | Product Manager |
109
+ | Head of Software Development |
110
+ | Regulatory Affairs Manager |
111
+
112
+ | Input | Output |
113
+ |----------------|-----------------------------|
114
+ | Change request | Completed change evaluation |
115
+
116
+ ### 3. Implementation, Verification, Validation, Update of Documentation
117
+
118
+ Change requests result as input to the SOP Software Development and are implemented accordingly.
119
+
120
+ This includes verification, validation and release activities while ensuring traceability. The relevant
121
+ documentation is updated and released with an updated declaration of conformity.
122
+
123
+ ---
124
+
125
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
126
+ license](https://openregulatory.com/template-license).
127
+
128
+ Please don't remove this notice even if you've modified contents of this template.
@@ -0,0 +1,102 @@
1
+ | Regulatory Requirement | Document Section |
2
+ |------------------------|------------------|
3
+ | MDR Annex XIV | All |
4
+ | MEDDEV 2.7/1, rev. 4 | All |
5
+ | MDCG 2020-6 | All |
6
+
7
+ ## Summary
8
+
9
+ This SOP describes the development of medical devices in accordance with regulatory requirements of Annex XIV (MDR) regarding medical device clinical performance. It ensures the level of
10
+ demonstrated safety and risk-benefit ratio that is required for our medical devices both for initial
11
+ certification and for continued safe use in the market.
12
+
13
+ | | |
14
+ |--------------------------------|----------------------------------------------------------|
15
+ | **Process Owner** | *\<enter role of process owner\>* |
16
+ | **Key Performance Indicators** | *\<enter KPIs to be tracked for the Management Review\>* |
17
+
18
+ ## Process Steps
19
+
20
+ ### 1.1 Clinical Evaluation Plan
21
+
22
+ The clinical evaluation is initiated following a Management decision to place a new or updated medical device
23
+ on the market. The organization follows this process both for initial market placement and for continuous
24
+ updates during the marketing phase.
25
+
26
+ The initial clinical evaluation is planned as part of the Clinical Evaluation Plan. During the marketing
27
+ phase, this plan is continuously updated as part of the Post-Market Clinical Follow-Up.
28
+
29
+ External partners can be involved in both conducting the initial clinical evaluation and the post-market
30
+ clinical follow-up in order to ensure higher clinical expertise during the process and lower the risk of
31
+ regulatory nonconformity. In this case, different external partners should be evaluated with regard to
32
+ sufficient experience (see MEDDEV 2.7/1 rev. 4 section 6.2). The *\<Head of the Medical Team\>* serves as the
33
+ point of contact to provide all relevant information to the partner.
34
+
35
+ > NOTE: if your organization maintains a purchasing process, the selection of an external partner for the
36
+ > clinical evaluation should be subject to supplier evaluation.
37
+
38
+ | | |
39
+ |--------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
40
+ | Participants | Medical Team |
41
+ | Input | Initial release: decision on new device, preliminary product specifications (intended use, risk assessment, available preclinical data, information on equivalent devices, etc.) |
42
+ | Output | Initial release: completed Clinical Evaluation Plan |
43
+
44
+
45
+ ### 1.2 Clinical Evaluation Report
46
+
47
+ Relevant data is collected and analyzed as part of writing the Clinical Evaluation Report to evaluate the
48
+ device’s clinical performance. The clinical evaluation shall consider at least the following points:
49
+
50
+ * Intended Use (incl. user and patient population, use environment, device features)
51
+ * Data to support equivalence with other devices (if applicable)
52
+ * Discussion of state of the art technology
53
+ * Discussion of the selected categories of clinical data, the quality of clinical data and its sufficiency to
54
+ support an overall balanced risk-benefit ratio of the device and compliance with the General Safety
55
+ Performance Requirements (MDR).
56
+
57
+ In the course of data collection and analysis, new risks may be identified and are documented accordingly as
58
+ updates to the risk management file.
59
+
60
+ > NOTE: where a Notified Body is involved in the conformity assessment of the device and the Medical team
61
+ > identifies remaining uncertainty with regard to the sufficiency of the clinical data, the Notified Body can
62
+ > be contacted to discuss additional measures (e.g., as part of the post-market clinical follow-up) that ensure
63
+ > product conformity and approval.
64
+
65
+ | | |
66
+ |--------------|-------------------------------------------------------------------------|
67
+ | Participants | Medical Team |
68
+ | Input | Product specifications |
69
+ | Output | Completed Clinical Evaluation Report<br>If necessary: updated risk file |
70
+
71
+ ### 1.3 Post-Market Clinical Follow-Up (PMCF)
72
+
73
+ Following the initial clinical evaluation, the organization plans the post-market clinical follow-up for the
74
+ medical device, ensuring its continuous safety and sufficient performance during the marketing phase. The PMCF
75
+ serves as input to regularly update the clinical evaluation.
76
+
77
+ The Medical team is responsible to compile and implement a Post-Marketing Clinical Follow-Up Plan, including
78
+ at minimum:
79
+
80
+ * Methodology for data collection and justification for selected methods
81
+ * Consideration of new data related to the risk management file, the claims discussed in the Clinical
82
+ Evaluation Report or applicable regulations
83
+ * Specification of the PMCFP period (no longer than one year), including a time plan for PMCF activities and
84
+ the next update of the clinical evaluation
85
+
86
+ The CAPA process must be initiated if new information collected as part of the PMCF activities indicates that
87
+ a balanced risk-benefit ratio and the safety of the device is in question.
88
+
89
+ All PMCF activities conducted per PMCF period are documented in a Post-Market Clinical Follow-Up Report.
90
+
91
+ | | |
92
+ |--------------|------------------------------------------------------------------------------------------------------------------------------|
93
+ | Participants | Medical team |
94
+ | Input | Clinical Evaluation Report New clinical data during the marketing phase |
95
+ | Output | Completed Post-Market Clinical Follow-Up Plan and Report<br>If necessary: PMCF measures (e.g., CAPA, updated risk file, etc.) |
96
+
97
+ ---
98
+
99
+ Template Copyright [openregulatory.com](https://openregulatory.com). See [template
100
+ license](https://openregulatory.com/template-license).
101
+
102
+ Please don't remove this notice even if you've modified contents of this template.