iFeed core · the structural spine

Governance is the structure that makes quality survivable.

Quality is not a department. Compliance is not a gate. Governance is the structure that makes quality and compliance reproducible across an organisation as it scales · regulators inspect · technology shifts under it. This is the iFeed core: the operating system beneath every domain in the library.

Open the chapters → See the methodology
Standards: ISO 9001 · 13485 · ICH Q9(R1) · Q10 · QMSR · ISO/IEC 42001 Lens: production-floor · GxP regulated Methodology: the methodology
Library/Governance · Quality · QMS · Compliance
Governance Overview Pillars Substrate History · Evolution Current 2026 Future 2026-2035 AI lens Flow · audit-readiness Players & stakeholders Notes
/ 00

Governance is the operating system beneath every domain.

Standards stack · domain pillars · PDCA cycle

A regulated organisation runs on a stack. Domains — bioanalytical, bioequivalence, clinical trials — sit on top because they are what regulators inspect on the floor. Underneath: governance, the load-bearing layer. Below that: the standards stack, ordered by surface area: ISO/IEC 42001 (AI management), QMSR + ICH Q10 (pharmaceutical quality), ICH Q9(R1) + ISO 13485 (risk + medical devices), ISO 9001 (foundational). Around the outside: a PDCA cycle that makes the whole thing operational.

/ what regulators inspect on the floor Bioanalytical ICH M10 analytical spine Bioequivalence ICH M13A regulator-facing Clinical trials E6(R3) · M11 study lifecycle Governance the structure that makes quality survivable across scale, inspection, and tech-shift / standards stack · the foundation ISO/IEC 42001 AI management system · 2023 first AI-MS standard QMSR FDA harmonised w/ ISO 13485 · effective 2 Feb 2026 ICH Q10 pharma quality system ICH Q9(R1) quality risk management ISO 13485 medical device QMS ISO 9001 foundational quality management · process approach + risk-based thinking PDCA Plan Do Check Act / five major instruments inside an 18-month window EU AI Act in force · 1 Aug 2024 QMSR effective · 2 Feb 2026 ICH E6(R3) Step 4 · 6 Jan 2025 ISO/IEC 42001 published · Dec 2023 ICH M10 operational
/ At a glance

The iFeed.governance reference, in headlines.

2026-05-02 · live
Frameworks

10 anchored.

ISO 9001 · ISO 13485 · ICH Q9(R1) · ICH Q10 · ICH Q12 · 21 CFR 820 / QMSR · 21 CFR Part 11 · EU Annex 11 · ISO/IEC 42001 · GAMP 5. The full governance stack.

QMSR effective

2 Feb 2026.

21 CFR 820 harmonised with ISO 13485:2016. Combination-product DHF-to-BMV bridge becomes inspection-visible. Top-5 483 category projected by 2027.

EU AI Act

Annex III · 2 Aug 2026.

High-risk obligations under Article 6(2) for standalone Annex III categories applicable 2 Aug 2026 (subject to deferral to up to 2 December 2027 under Digital Omnibus COM(2025) 836 of 19 Nov 2025). Article 6(1) (MDR/IVDR safety-component route) applies from 2 August 2027.

ISO/IEC 42001

The AIMS standard.

December 2023 publication. The AI-equivalent of ISO 9001. Where pharma QMS overlaps and where 42001 fills gaps. The certification pathway for AI management systems.

/ Connection

Governance gates all three.

Bioanalytical · Bioequivalence · Clinical trials

Governance is the centre · the structural gate every trial domain passes through. QMS, ALCOA+, ICH Q9(R1), ISO/IEC 42001 — the policy layer that makes the science survivable on inspection day. Click a node to open that space.

Bio analytical Bio equivalence Clinical trials Governance
/ Chapters

Nine chapters · open any.

Each chapter is its own page · secondary nav above
Chapter 01 · flagship

Pillars: cross-stack governance comparison.

ISO 9001 · ISO 13485 · ICH Q9(R1) · ICH Q10 · ICH Q12 · 21 CFR 820 / QMSR · 21 CFR Part 11 · EU Annex 11 · ISO/IEC 42001 · GAMP 5. Scope · when applies · what each requires · audit-readiness implications.

Open chapter →
Chapter 02 · operational layer

Governance substrate.

QA function structure (corporate vs site). Training programs & competency matrices. Change-control workflows. Deviation handling. CAPA lifecycle. Document-control hierarchy (SOP / WI / forms). Management review cadence. Internal audit programs.

Open chapter →
Chapter 03 · the multi-decade arc

History & evolution.

Pre-1980s no formal QMS in pharma. ISO 9001 (1987) the universal QMS reference. ISO 13485 (1996) for medical devices. ICH Q10 (2008). FDA Pharmaceutical cGMPs for the 21st Century (2002). MHRA GxP DI (2018). QMSR (Feb 2026). ISO/IEC 42001 (2023). EU AI Act (2024).

Open chapter →
Chapter 04 · live now

Current state: 2026.

QMSR effective 2 February 2026. EU AI Act Annex III high-risk applicable 2 August 2026 (subject to deferral to up to 2 December 2027 under Digital Omnibus COM(2025) 836 of 19 Nov 2025). ICH E6(R3) operative since January 2025. ISO/IEC 42001 adoption accelerating. GMP Annex 22 in consultation. Convergence of regulated-AI governance frameworks.

Open chapter →
Chapter 05 · projection

Future scope: 2026-2035.

EU AI Act Annex I high-risk applicability 2 Aug 2027. GMP Annex 22 finalisation. ISO/IEC 42001 becoming the AI-equivalent of ISO 9001. QMS+AIMS convergence. Continuous-validation paradigm. Regulator AI literacy programs (FDA AI Office, EMA AI WG, MHRA AI airlock). The 2030+ landscape.

Open chapter →
Chapter 06 · the iFeed lens

AI quality governance.

How governance has to absorb AI · the immunity model. The 5 governance shifts AI forces: validation of non-deterministic systems · continuous monitoring · training-data lineage · PCCP-driven model updates · human-in-the-loop architecture. Pre-immunisation → active immunity → adaptive immunity.

Open chapter →
Chapter 07 · operational pipeline

Flow · audit-readiness.

Continuous compliance monitoring → mock audit → pre-inspection review → regulator inspection → 483 response → CAPA → effectiveness verification → management review. FDA OAI/VAI/NAI scoring. EMA risk-based inspection. MHRA risk-based GMP inspection.

Open chapter →
Chapter 08 · who runs the field

People: use cases, players, stakeholders.

Eight regulatory triggers (483 findings, EMA non-compliance, MHRA GxP DI, EU AI Act conformity, ICH Q9(R1), ISO 42001 audits, IRB/IEC findings, CAPA effectiveness). Five player categories: QA/RegOps, third-party auditors and notified bodies, regulators, GxP tech vendors, standards bodies.

Open chapter →
Chapter 09 · the living feed

Notes: governance writing.

The feed of writing relevant to governance practice. EU AI Act, QMSR, ISO/IEC 42001, GMP Annex 22, validation of non-deterministic systems, the immunity-model framing. Filtered from the global notes archive.

Open chapter →
/ 01

Why governance matters.

Three frames · regulatory · operational · strategic

Most regulated organisations treat governance as a regulatory burden — a tax extracted by inspectors and auditors. That frame is correct but incomplete. Governance has three frames simultaneously, and only the third is what makes a company defensible against AI failure modes, regulatory shifts, and the next decade of compliance pressure.

Frame 01

Regulatory.

The minimum surface required to operate. Without it, no submission is reviewable, no inspection survivable, no commercial product viable.

  • 21 CFR 820 / QMSR · 21 CFR Part 11 data integrity
  • ICH Q10 (PQS) · Q9(R1) risk · Q8 development
  • ICH E6 R3 (GCP) · ICH M10 BMV · ICH M13A BE
  • EU MDR · EU IVDR · EU CTR · EU AI Act
Frame 02

Operational.

The internal architecture that lets the organisation deliver consistently — across teams, sites, instruments, suppliers, time. Governance reduces the rework cost of the next deviation, the next audit finding, the next change control.

  • SOP architecture · training records · competency
  • Document control · change control · CAPA
  • Supplier qualification · transfer protocols
  • Inspection readiness · ongoing surveillance
Frame 03

Strategic.

The frame iFeed treats as primary. Governance is the immune system · the structural antidote to AI vulnerability, methodology drift, and the failure modes that hurt organisations after they scale. Pre-immunisation is cheaper than rescue.

  • AI quality governance (ISO/IEC 42001 · EU AI Act)
  • Methodology IP separation · independence-first
  • Vaccine framing · not insulation, immunisation
  • Cross-domain consistency · regulated-life-sciences fit
/ 02

The QMS stack.

Eight binding standards · how they layer

Quality management systems in regulated life sciences are not a single document. They are a layered stack of standards, each binding in a different way and covering a different surface. The stack reads top-down: from the abstract management-system principles to the concrete trial-conduct or device-design rules.

L01ISO 9001
Quality management systems · requirements. The non-regulated baseline. Plan-Do-Check-Act, customer focus, continual improvement, leadership engagement, evidence-based decisions.
2015 (R)
L02ICH Q10
Pharmaceutical Quality System. Layered on ISO 9001. Adds product lifecycle (development → transfer → commercial → discontinuation), management responsibility, knowledge management.
2008
L03ICH Q9(R1)
Quality Risk Management. The risk methodology that runs across Q8/Q10/Q11/E6/M10. R1 (2023) added subjectivity-management, knowledge-base risk, and digitalisation. The most-cited ICH document in 2024-2026 inspections.
2005 / R1 2023
L04ICH Q8(R2)
Pharmaceutical Development. QbD framework. Critical Quality Attributes (CQAs), Critical Process Parameters (CPPs), design space. Underpins ICH M10's risk-based partial-validation approach.
2009
L0521 CFR Part 11
Electronic records · electronic signatures. Audit trail, attribution, identification, validation. The data-integrity floor for every regulated computer system. ALCOA+ derives from §11 read across regulators.
1997
L06QMSR · 21 CFR 820
Quality Management System Regulation. FDA's medical-device QMS rule, harmonised with ISO 13485:2016 effective 2 February 2026. The 30-month implementation window forced major device QMS rebuilds 2024-2026.
2026 effective
L07ISO 13485
Medical devices · QMS · regulatory purposes. Notified-body baseline for EU MDR / IVDR. Now harmonised with QMSR 2026. Layered with ISO 14971 (risk management), IEC 62304 (software lifecycle), IEC 62366 (usability).
2016 (R)
L08ICH E6 R3
Good Clinical Practice. The clinical-trial conduct standard. R3 (Jan 2025 finalised) introduced principles-based GCP, sponsor-investigator oversight, decentralised-trial language, risk-based monitoring, electronic systems alignment with §11.
2024
L09ISO/IEC 42001
AI management system. The first international standard for governance of AI. Risk-impact assessment, lifecycle controls, transparency, post-market monitoring. Will become the AI-equivalent of ISO 9001.
2023
/ 03

Compliance topology.

Four quadrants · pharma · MedTech · combination · AI in regulated

Compliance is shaped by the type of product the organisation makes. The four quadrants below carry distinct standards, distinct inspection regimes, and distinct failure modes. Most regulated organisations live in two or three of them at once · the bridges between them are where audit findings concentrate.

Quadrant 01

Pharmaceutical.

Small molecules, biologics, biosimilars, cell & gene therapy. Regulated as medicines.

  • Standards · ICH Q8 / Q9 / Q10 / Q11 / Q12 · 21 CFR 210/211 GMP · EU GMP Vol 4
  • Trial conduct · ICH E6 R3 GCP · ICH E8(R1) general considerations
  • Bioanalytical · ICH M10 BMV · FDA 2018 · EMA Rev 1 (superseded)
  • Bioequivalence · ICH M13A · 21 CFR 320 · EMA CPMP/EWP/QWP/1401/98
  • Pharmacovigilance · ICH E2A-E2F · EU GVP modules · FDA REMS
Quadrant 02

Medical device / IVD.

Hardware, IVDs, software-as-a-medical-device (SaMD). Regulated as devices.

  • Standards · ISO 13485:2016 · QMSR (21 CFR 820) effective 2026 · EU MDR · EU IVDR
  • Risk · ISO 14971 · failure mode & effects analysis · design FMEA
  • Software · IEC 62304 lifecycle · IEC 62366 usability · FDA pre-cert · PCCP
  • Clinical evaluation · MDR Article 61 · MDCG 2020-13 · ISO 14155
  • Post-market · UDI · vigilance · FSCA (field safety corrective actions)
Quadrant 03

Combination products.

Drug-device, biologic-device, drug-eluting devices, prefilled syringes, drug-coated catheters. The growing intersection · QMSR 2026 forced new bridges.

  • Lead-mode classification · primary mode of action drives lead regulator
  • Bridge documentation · DHF (820.30) ↔ PQS (Q10) handshake
  • Bioanalytical bridge · ICH M10 + 21 CFR 820 design controls
  • Risk overlay · ICH Q9 + ISO 14971 reconciliation
  • 2026 inspection focus · combination-product DHF-to-BMV bridges projected top-5 483 by 2027
Quadrant 04

AI in regulated.

AI/ML inside or alongside any of the above. The newest quadrant · with the least settled regulatory text.

  • EU AI Act · effective 1 Aug 2024 · high-risk systems classified by use case
  • FDA AI/ML SaMD · PCCP framework · predetermined change control plan
  • ISO/IEC 42001 · AI management system standard · lifecycle controls
  • ISO/IEC 22989 · AI concepts and terminology · foundational
  • ICH M10 v2 · narrow AI scope (peak detection, integration, calibration-fit) projected Q3 2028
/ 04

Data integrity · ALCOA+.

Six original letters · five additions · the integrity floor

ALCOA was the FDA-articulated data-integrity acronym from the early 1990s. ALCOA+ added five more in 2010 to address the failures the original framework couldn't see: missing context, unstable storage, hidden information. Every regulated computer system must demonstrate ALCOA+ to pass inspection. This is the data integrity floor — not the ceiling.

A
Attributable.

Who created or modified the record. Username, role, date-time stamp. No anonymous edits.

L
Legible.

Readable through the retention period. No erased, overwritten, or obscured data. Human-and-machine readable.

C
Contemporaneous.

Recorded at the time the activity occurred. Backdating is a data-integrity violation, not an administrative one.

O
Original.

First-capture record or true copy. Photocopy of a chromatogram printout is not a true copy (WHO §4.22).

A
Accurate.

Free from error, complete, reflecting actual measurement. Includes verified transcription if any.

+ C
Complete.

Full record including reanalysis, deviations, change history. Not a curated summary.

+ C
Consistent.

Internal logic preserved across systems. Audit trails reconcile to source records.

+ E
Enduring.

Retained for the regulatory window (often product lifetime + 10 years). Storage media must remain readable.

+ A
Available.

Retrievable within audit-window timeframe. Inspector must be able to read it within hours, not weeks.

+ T
Traceable.

Linked to source. Every derived value reconstructable from raw data through documented steps.

/ 05

Audit & inspection readiness.

What inspectors actually check · the 2025 frequency view

Inspection readiness is not a state, it's a posture. The percentages below are iFeed's analysis of publicly available 2025 FDA bioanalytical 483s and Warning Letters (FDA does not publish category-level breakdowns); equivalent EU MDR / EMA / PMDA findings cluster around the same surfaces. The cited rule is rarely the underlying problem · the inspector's actual concern is whether the system can be read by another competent reviewer in the inspector's place.

28%
ISR sample-selection randomisation.

The #1 finding in 2025. Defensibility of how the 10% reanalysis sample was chosen. Concentration-range coverage, time-point distribution, demographic coverage. ICH M10 §5.

22%
Reagent-lot bridging.

#2 finding. Documentation of critical-reagent transitions: lot validated when, lot ran which study sample, what bridging experiment closed the gap. The growing 2026-2028 frontier.

17%
Partial-validation SOP gaps.

Pre-defined triggers (matrix change, anticoagulant change, site transfer, reagent change) and acceptance criteria for each. EMA stricter than FDA on what counts as triggered.

14%
Method-transfer documentation.

Sponsor lab → CRO and CRO → CRO transfer evidence. PMDA 2024 framework cited explicitly. Often surfaces in late-stage programmes when capacity moves.

~10%
Audit-trail completeness.

Part 11 / EU Annex 11 audit-trail review. Whether the audit trail is reviewed (not just enabled), and whether dynamic data (chromatograms) are retained as raw data per WHO §4.22.

~8%
Calibration-curve back-calculation reporting.

EMA Nov 2023 corrigendum top finding. Whether back-calculated standards are reported with the same precision as nominal. Often a copy-paste defect.

~6%
Stability matrix completeness.

Bench-top, freeze-thaw, long-term, stock solution, processed sample, whole blood (if applicable). M10 §3.2.8 / §4.2.7. The forgotten validation activity.

remaining
Cross-cutting data integrity.

ALCOA+ violations · contemporaneous-recording failures · backdated entries · missing reviewer signatures. Cuts across all domains.

/ 06

Risk-based thinking.

ICH Q9(R1) · 5-step lifecycle · FMEA / hazard analysis

ICH Q9(R1) (Step 4 reached 18 January 2023) is the most-cited ICH document in 2024-2026 inspections. The R1 revision explicitly addressed subjectivity-management, knowledge-base risk, and digitalisation — gaps the 2005 original couldn't anticipate. Every regulated change, deviation, transfer, and validation now passes through the same five-step lifecycle.

Step 01
Initiate.

Define the risk question. Scope, decision context, data needs. Q9(R1) added subjectivity declaration here.

Step 02
Assess.

Identify, analyse, evaluate. Severity · probability · detectability. FMEA, fault-tree, HAZOP, hazard analysis.

Step 03
Control.

Reduce or accept. Mitigation hierarchy: design out > engineered > administrative. Residual risk acceptance criteria.

Step 04
Communicate.

Documented decisions, accountability, transparency. Cross-functional review where impact crosses boundaries.

Step 05
Review.

Periodic re-evaluation. Trigger-based reassessment after change. Continuous-improvement linkage to CAPA system.

/ 07

AI quality governance.

Four standards · the AI-in-regulated stack

AI deployment in regulated life sciences is no longer optional — peak detection algorithms are in every LC-MS/MS instrument, eligibility-screening models triage clinical-trial recruitment, image-classifier SaMDs are FDA-cleared, generative LLMs are inside pharmacovigilance triage. The regulatory text catching up to this reality is split across four standards, each binding in a different way. iFeed's AI quality governance practice operates inside this stack.

Horizontal AI standard

ISO/IEC 42001.

Published Dec 2023 · AI management system

The first international standard for governance of AI. Layered like ISO 9001 — risk-impact assessment, lifecycle controls, transparency, post-market monitoring, supplier management. Not regulator-binding but rapidly becoming notified-body and inspector reference.

Covers any AI system regardless of sector. Will become the AI-equivalent of ISO 9001 as 13485 was for medical devices.

Scope · AI lifecycle · organisation-wide
Regulatory law

EU AI Act.

Effective 1 Aug 2024 · phased through 2027

Risk-tiered: prohibited · high-risk · limited-risk · minimal-risk. Most life-sciences AI is high-risk — clinical decision support, diagnostic AI, recruitment screening, employment-relevant algorithms. High-risk obligations include conformity assessment, post-market monitoring, fundamental rights impact assessment.

Cross-cuts MDR/IVDR for medical AI. Sponsors face dual classification and dual conformity routes.

Scope · EU market · binding 2026 onwards (high-risk full applicability)
FDA framework

AI/ML SaMD · PCCP.

2021 action plan · 2024 PCCP final guidance

Predetermined Change Control Plan (PCCP) lets locked AI models be updated post-market within a pre-cleared envelope. Algorithm Change Protocol (ACP) defines the modification types, performance metrics, validation strategy. The mechanism by which adaptive AI gets to commercial use without re-clearance per update.

Extends to bioanalytical AI/ML around 2027 per ICH M10 v2 narrow scope.

Scope · FDA SaMD · locked & adaptive AI
Foundational

ISO/IEC 22989.

2022 · AI concepts and terminology

The vocabulary standard. Defines what counts as AI, ML, DL, NLP, agent, foundation model, training data, validation data, drift, etc. Inspector and regulator language increasingly anchored here · using ISO 22989 vocabulary in validation reports reduces interpretation friction.

Often paired with ISO/IEC 23053 (AI/ML framework) and ISO/IEC 38507 (governance of AI).

Scope · vocabulary · cross-domain
/ 08

Common failure modes.

Eight patterns the practice keeps seeing

The patterns below are the recurring failure modes iFeed sees across regulated organisations — across pharma, MedTech, combination products, and AI-in-regulated. Most are not technical defects. They are governance defects that express themselves through technical findings.

Pattern 01
Quality as department, not function.

Quality team owns "quality"; everyone else thinks compliance is somebody else's job. Inspector finds the same finding three times in three different teams. Symptom of leadership-engagement gap (ICH Q10).

Pattern 02
SOPs as artefacts, not living instruments.

SOP suite present and indexed but not read. Training records show signatures, not competency. The most common 483 surface for cross-cutting "system" findings. The remediation is hard because it's cultural.

Pattern 03
Audit-trail enabled, not reviewed.

Part 11 audit trail switched on but no scheduled review. Inspector asks for the last review record. There isn't one. Cited as data-integrity violation, not Part 11 technical gap.

Pattern 04
Risk assessment copied across changes.

Same risk assessment template applied to every change without reframing. Q9(R1) §6 explicitly addresses this — subjectivity declaration, knowledge-base reuse with re-evaluation. Templated risk is non-risk.

Pattern 05
CAPA loop open, no effectiveness check.

CAPA actions implemented, closure documented, no effectiveness evaluation. The system fails again 18 months later in the same place. Inspector reads the pattern in the deviation register.

Pattern 06
Method-transfer without bridging.

Method moves from sponsor to CRO or CRO to CRO without a formal partial-validation per ICH M10 §6 / PMDA 2024. Late-stage programme failure surface.

Pattern 07
AI without AI quality governance.

AI/ML deployed (peak detection, eligibility screening, image classification) without ISO/IEC 42001 lifecycle controls or PCCP. EU AI Act high-risk classification arrives uncovered.

Pattern 08
Methodology absorbed into employer.

The personal-IP failure mode iFeed exists to address. Founder methodology gets implicitly assigned to the organisation; founder leaves; everything fragments. Independence-first is the structural antidote.

/ 09

The the methodology lens.

How iFeed's methodology operationalises this stack

The structures above are how the field describes governance. the methodology is how iFeed operates governance — the methodology that turns the QMS stack, the compliance topology, ALCOA+, Q9(R1), and ISO/IEC 42001 into a single deployable practice. Three phases: Pre-immunisation (vaccination · before AI deployment), Active immunity (operational governance · during use), Adaptive immunity (post-incident learning · after every event).

/ Methodology

the methodology · the operating system underneath the practice.

The full methodology, the three-phase frame, and the agent-native execution architecture. the methodology is what turns the regulatory and operational frames into deployable governance.

Open methodology →
/ 10

Governance stakeholders.

Who decides · who is liable · who pays

Governance has internal stakeholders (who owns it, who runs it) and external stakeholders (who inspects it, who funds it, who is affected). The map below is who fires which lever when the system is challenged. Most governance failures sit at the interfaces between these stakeholders, not inside any one role.

CEO / Managing Director
Interestcompany viability · regulatory approvability · reputational capital
Leveragebudget allocation · ICH Q10 management responsibility · inspection-day signature
Quality head / VP QA
InterestQMS coherence · audit-readiness · cross-domain consistency
Leveragerelease authority · CAPA system · supplier qualification
Regulatory affairs head
Interestsubmission acceptability · timeline predictability · authority relationships
Leveragestrategy choice · jurisdiction selection · scientific advice meetings
Compliance officer
Interestpolicy adherence · training completeness · documentation discipline
Leverageinternal audit · monitoring · escalation pathways
Site / facility head
Interestoperational continuity · inspection survival · resourcing
LeverageSOP authoring · change-control approval · inspection front-line
R&D / process development
Interestscientific freedom · innovation pace · regulatory headroom
LeverageQbD design space · CQA / CPP definition · early-phase risk decisions
IT / data integrity owner
Interestsystem uptime · validated state · audit-trail completeness
Leveragesystem landscape · integration design · 21 CFR Part 11 / EU Annex 11 compliance
Regulator · inspector
Interestdata integrity · system reproducibility · public health
Leverage483 observations · warning letters · clinical hold · approval / non-approval
Notified body (EU)
Interestconformity assessment quality · ongoing surveillance
Leveragecertificate suspension · re-audit · scope reduction
Patient / end user
Interestsafety · efficacy · access
Leverageindirect (via ethics review · adverse-event reporting · post-market signals)