How we determine what to evaluate

Our coverage methodology: what we directly evaluate, how we treat clauses that don’t fit a single-document checklist, and what we don’t claim.

Regulatory standards are not designed to be evaluated clause-by-clause with equal weight. A working auditor doesn’t ask for a “management commitment document” and check a box. They assess management commitment through the quality objectives, review records, and resource decisions that commitment is supposed to produce. They treat cleanliness-of-product requirements as relevant only to manufacturers who actually have cleanliness processes. They read a general umbrella clause as satisfied when its specific sub-requirements are met.

We built our coverage methodology the same way. The guiding principle, established at the start of our work: coverage should be curated to auditable requirements, the ones that produce concrete, detectable evidence in a document set, rather than a mechanical claim of 100% clause-for-clause coverage. A real auditor doesn’t treat every sub-clause of a standard with equal weight. Neither do we, and we’re explicit about how we handle the rest.

What is directly evaluated

We publish a curated set of requirements traced to authoritative sources across the standards we cover: ISO 13485:2016, FDA QMSR (21 CFR Part 820), ISO 14971:2019, IEC 62304:2015, IEC 62366-1:2020, IEC 81001-5-1:2021, FDA cybersecurity guidance, and FDA postmarket regulations (21 CFR Parts 803, 806, 810, and 822). Every requirement in that set has a source citation: the official electronic Code of Federal Regulations for US regulations, and the published standard itself for ISO and IEC content. None are invented.

These are the requirements that a well-prepared QMS should produce evidence for in a document set. When a reviewer uploads documents, we evaluate against this set directly.

Requirements consolidated into a broader evaluation

Some clauses in a standard are umbrella statements: a general clause whose substance is fully expressed by its own specifics. An auditor treats these as satisfied when the underlying requirements are met, because there is no separate artifact to check for the umbrella alone.

We handle eight such clauses this way, each confirmed by independent review against the ISO 13485 and 21 CFR Part 820 source text. For example: ISO 13485 §7.3.1 (the general design-and-development clause) is evaluated under the specific design-and-development planning requirement that frames it; §8.1 (the general measurement, analysis, and improvement clause) is fully expressed by the specific internal-audit, corrective-action, and post-market requirements beneath it; and §8.5.1 (the general improvement clause) is evaluated through those same corrective-action and post-market surveillance requirements. On the 21 CFR Part 820 side, the same holds for §820.86, §820.130, §820.140, and §820.186, which cover acceptance status, device packaging, handling, and quality system records. Each appears as a focused requirement in our evaluation set rather than being assessed under a broader clause alone.

We describe these in our coverage as: consolidated into a broader requirement.

Requirements that apply conditionally, based on your device

Some of the most consequential requirements in a standard apply only to manufacturers whose devices or processes actually invoke them. A company with no sterile manufacturing doesn’t need a validated sterilization process, and an auditor reviewing their QMS wouldn’t expect to find one. Flagging the absence of sterilization records as a gap for a company that makes non-sterile, software-only devices would be noise, not insight.

We hold dedicated requirements for these conditionally applicable clauses and evaluate them when your device profile indicates they apply. ISO 13485 §7.5.2 (cleanliness of product), §7.5.3 (installation activities), §7.5.4 (servicing activities), §7.5.5 (particular requirements for sterile medical devices), §7.5.7 (validation of processes for sterilization), and §7.5.10 (customer property), alongside the parallel installation requirement at 21 CFR §820.170, all fall into this category. Each is a real requirement with real compliance obligations; the question is only whether it applies to a given manufacturer.

The sterilization-process pathway (§7.5.7) is running this way today. We are actively expanding the device-profile signals that drive conditional evaluation across the remaining clauses in this group. We describe these in our coverage as: conditionally applicable — evaluated when your device profile indicates it applies.

Requirements assessed through their documented outputs

A small number of clauses in ISO 13485 are management-intent commitments — they describe what leadership must be committed to, but there is no corresponding single document that proves the commitment directly. An auditor assesses these indirectly, through the documented outputs the commitment is supposed to produce: quality objectives, management-review minutes, records of resource allocation and training. Asking a company to produce a “management commitment document” would be asking for the wrong artifact.

ISO 13485 §5.1 (management commitment), §5.2 (customer focus), and §6.1 (provision of resources) are treated this way. We assess whether the required outputs exist and are adequate, rather than looking for a commitment document that no standard requires.

We describe these in our coverage as: assessed indirectly — evaluated through documented outputs.

What this page does not claim

We do not claim 100% mechanical clause-for-clause coverage. The methodology above describes deliberate curation, not completeness for its own sake. We do not claim that conditional device-profile evaluation is fully built out across every applicable clause — the sterilization pathway is in production, and the rest is in active development. We do not claim our evaluation eliminates the need for a qualified human reviewer; a tool that evaluates documents is not an auditor. This page describes what we actually do.