The Compliance Stack: Managing ISO 13485, FDA, EU MDR, and GDPR Simultaneously

Regulated industries don’t get to pick one compliance framework. A medical device company bringing a product to market typically manages FDA submissions, EU MDR technical documentation, ISO 13485 certification, GDPR obligations for any health data, and ISO 27001 for their information systems — simultaneously, with each framework referencing the others. A gap in the QMS shows up in the FDA submission. A weak risk management file fails the EU MDR technical documentation review. An ISO 27001 gap is a GDPR problem if health data is involved.

The documentation burden is significant even when the underlying controls are already in place. Risk management files, clinical evaluation reports, statements of applicability, CAPA records, quality management reviews — each framework has its own required format, its own required content, and its own audit trail requirements. Producing this documentation consistently across teams and over time, while managing a product development programme and responding to actual nonconformities, is one of the most resource-intensive parts of running a regulated business.

The Compliance & Quality Stack gives Claude a structured approach to each framework. Each skill knows the format that certification bodies and regulators expect, the sections that belong in each document type, and the level of detail that survives audit scrutiny. The documentation work gets done consistently and to the right standard — which means the time that compliance, regulatory, and quality teams spend goes into the substance: the actual risk decisions, the clinical evidence, the audit findings — rather than the structure.

The frameworks, skill by skill

Quality management system

Quality Manager — ISO 13485 builds and maintains a QMS to ISO 13485 standard — document control, process validation, supplier management, management review, and the audit-readiness requirements that certification bodies check. ISO 13485 is the foundational framework for a MedTech quality system, and everything else in the compliance stack sits on top of it. A QMS that’s well-documented and consistently operated makes the FDA submission easier to prepare, the EU MDR technical documentation more credible, and internal audits less painful. A QMS that exists on paper but hasn’t been maintained creates risk across every regulatory pathway simultaneously.

Use it when building a QMS from scratch for initial certification, when updating an existing QMS to reflect scope changes or new processes, or when preparing the documentation package for a surveillance audit.

Quality Manager — QMR prepares quality management reviews with the right data, trend analysis, and decision outputs — the structured review format that ISO 13485 requires and the common gaps that auditors flag. The QMR is one of the most commonly cited areas of nonconformity in ISO 13485 audits, usually because the review didn’t include the required inputs or didn’t produce documented outputs that demonstrate management decision-making. The skill structures the QMR to cover what the standard requires and produce output that demonstrates actual review rather than a procedural formality.

Use it when preparing an upcoming management review, when the previous QMR received a nonconformity and the corrective action includes improving the review process, or when the QMR format hasn’t been systematically reviewed against the standard’s requirements.

Quality Documentation Manager maintains controlled documents — SOPs, work instructions, forms, and records — with the version control and review cycles that QMS standards require. Document control is the compliance function that compounds quietly: SOPs that haven’t been reviewed on schedule, forms that have drifted from the controlled version, work instructions that describe a process that changed two product generations ago. The skill maintains the document control discipline that prevents these accumulations.

Use it when setting up a document control system for a new QMS, when a document control audit has identified gaps in the review and approval process, or when a product or process change requires systematic review of affected controlled documents.

CAPA Officer runs corrective and preventive action processes systematically — root cause analysis methodology, action planning, effectiveness verification, and the documentation trail that survives an audit. CAPAs triggered by customer complaints, nonconformity reports, or internal audit findings all require the same documented process: a root cause that’s been investigated rather than assumed, actions that address the root cause rather than the symptom, and effectiveness checks that confirm the actions actually worked. The skill structures each stage so the CAPA file is complete and defensible before it’s closed.

Use it when a nonconformity is raised and a CAPA is required, when existing CAPA records are being reviewed for completeness before an audit, or when the CAPA process itself has been identified as a systemic weakness that needs structural improvement.

npx skills add alirezarezvani/claude-skills --skill ra-qm-team/...

---

Risk management

Risk Management Specialist applies ISO 14971 methodology to medical devices — hazard identification, severity and probability estimation, risk control measures, residual risk documentation, and the risk management file that ties the analysis together. ISO 14971 risk management is a required input to EU MDR technical documentation and a critical component of any FDA submission where safety and effectiveness need to be demonstrated. The most common failure in risk management documentation isn’t incorrect analysis — it’s incomplete documentation of the analysis that was done, making it impossible for a reviewer to trace the reasoning.

Use it when building the initial risk management file for a new device, when updating the risk management analysis to reflect a design change or post-market safety data, or when preparing the risk management documentation for a regulatory submission or certification audit.

npx skills add alirezarezvani/claude-skills --skill ra-qm-team/risk-management-specialist

---

Regulatory submissions

Head of Regulatory Affairs handles strategic oversight of the regulatory programme — submission planning, agency interaction strategy, market entry sequencing, and the prioritisation decisions that determine which markets you enter and when. FDA and EU MDR have different requirements, different timelines, and different risk profiles for a given device. Strategic regulatory planning means choosing the right pathway for each market, preparing for agency interactions, and making the resourcing decisions that allow the programme to move in parallel rather than sequentially.

Use it when planning a regulatory programme for a new device, when evaluating whether a design change requires a new submission, or when the regulatory strategy needs to be reassessed because of a market change, a competitor’s clearance, or a change in the applicable guidance.

FDA Consultant navigates FDA requirements — 510(k) preparation, predicate device strategy, substantial equivalence argumentation, performance testing requirements, and the submission formats that reviewers expect. 510(k) preparation is a detailed documentation exercise: the predicate selection and substantial equivalence argument need to be rigorous, the performance testing needs to cover what the guidance requires, and the submission format needs to match what the relevant FDA division expects. An incomplete or poorly organised 510(k) delays clearance; a well-prepared one moves through review efficiently.

Use it when preparing a 510(k) submission, when a predicate strategy needs to be evaluated before testing begins, or when a Request for Additional Information from FDA needs a structured response.

MDR Specialist prepares EU MDR technical documentation — clinical evaluation reports, PMCF plans, Article 10 obligations, Summary of Safety and Clinical Performance, and the Annex requirements that differ substantially from legacy MDD requirements. EU MDR raised the clinical evidence bar significantly compared to the MDD, and many devices that had straightforward MDD certifications are facing more demanding clinical evidence requirements under MDR. The clinical evaluation report in particular needs to demonstrate a systematic review of available clinical data and a robust analysis of whether that data supports the device’s safety and performance claims.

Use it when preparing EU MDR technical documentation for a new or legacy device, when updating a clinical evaluation report to reflect new post-market data or a change in the state of the art, or when preparing for a notified body audit of the technical documentation.

npx skills add alirezarezvani/claude-skills --skill ra-qm-team/...

---

Data protection and information security

GDPR Expert assesses data processing activities, drafts privacy notices and data processing agreements, conducts DPIAs for new features or processing activities, and documents the lawful basis for processing — including the specific requirements for health data under Article 9. Health data is a special category under GDPR, which means any medical device that collects or processes patient data is subject to stricter requirements than general personal data processing. The DPIA obligation applies to any processing that is likely to result in high risk to individuals’ rights and freedoms — which covers most health data processing at scale.

Use it when a new feature or device capability involves health data processing and a DPIA is required before launch, when onboarding a new vendor who will process health data on your behalf, or when preparing for a data protection audit.

Information Security Manager — ISO 27001 designs and documents an ISMS — risk assessment methodology using the ISO 27005 framework, Annex A control selection and justification, Statement of Applicability with inclusion and exclusion rationale, and the policy and procedure documentation that supports the control framework. ISO 27001 is an increasingly common requirement in healthcare vendor agreements and a prerequisite for some regulatory pathways and market segments. The documentation requirements are extensive even when the underlying controls are already in place: the risk assessment methodology, the risk register, the control justifications, and the SoA all need to be in place before certification.

Use it when building an ISMS for initial ISO 27001 certification, when updating existing documentation to reflect scope changes or control additions, or when preparing the documentation package for a certification or surveillance audit.

ISMS Audit Expert and QMS Audit Expert plan and conduct internal audits of both the information security management system and the quality management system. Internal audits are the mechanism that keeps a management system credible between certification cycles — they surface control gaps before external auditors do and produce the evidence of continuous improvement that certification bodies look for. The skills structure each stage of the audit: planning and scope definition, evidence collection, nonconformity identification and classification, corrective action recommendations, and management review preparation.

Use them when running the annual internal audit programme, when a certification audit is approaching and a pre-audit review would identify gaps before the auditor does, or when a specific control domain has had recent changes that warrant a focused audit.

npx skills add alirezarezvani/claude-skills --skill ra-qm-team/...

---

How the stack works together

Compliance documentation is interconnected — a weakness in one framework creates risk across others. Here’s how the stack maps to two common compliance scenarios:

Initial MedTech certification (ISO 13485 + EU MDR): Use Quality Manager — ISO 13485 to build the QMS. Use Risk Management Specialist to develop the risk management file — it’s a required input to the EU MDR technical documentation. Use MDR Specialist to prepare the technical documentation once the QMS and risk management file are in place. Use QMS Audit Expert to run the internal audit before the notified body comes in. If health data is involved, use GDPR Expert to assess the processing activities and produce the required documentation in parallel.

FDA submission (510k) with data protection obligations: Use FDA Consultant to structure the submission. Use Risk Management Specialist to ensure the risk documentation meets FDA’s expectations for safety and effectiveness demonstration. If the device processes patient data in the US, coordinate with GDPR Expert for any EU obligations in parallel. Use Head of Regulatory Affairs to manage the submission strategy if multiple markets are in scope simultaneously.

Ongoing programme (post-certification): Use CAPA Officer when a nonconformity is raised. Use Quality Manager — QMR for the annual management review. Use QMS Audit Expert and ISMS Audit Expert for the internal audit programme. Use MDR Specialist to update clinical evaluation reports when post-market data requires reassessment.

Each skill triggers independently based on what you ask for. The --skill ra-qm-team path in the install command covers all the regulatory and quality skills. ISO 27001 and GDPR skills share the same install path.

Install the full stack

→ View the Compliance & Quality Stack

→ Full install guide

Browse all compliance skills → /audiences/legal