Management Review 2026 — Presentation
Date: Monday, 11 May 2026
Place: Online
Attendees: Andy Aguilar (General Manager), Taig Mac Carthy (D&D Manager), Alfonso Medela (Technical Responsible & PRRC), Saray Ugidos (Quality Manager & PRRC), Gerardo Fernández (Systems Responsible), Alba Santacreu Martin (Administration)
Reference standard: ISO 13485:2016, Clause 5.6 — Management review
📋 Agenda (per ISO 13485:2016 §5.6.2)
| # | Topic | ISO 13485 Reference |
|---|---|---|
| 1 | Executive summary | — |
| 2 | Results of audits | §5.6.2 a) |
| 3 | Customer feedback and complaints | §5.6.2 b) |
| 4 | Process performance and product conformity | §5.6.2 c) |
| 5 | Quality objectives 2025 — review | §5.4 |
| 6 | Quality objectives 2026 — approval | §5.4.1 |
| 7 | Non-conformities and CAPAs | §5.6.2 d) |
| 8 | Follow-up actions from previous management reviews | §5.6.2 e) |
| 9 | Changes that could affect the QMS | §5.6.2 f) |
| 10 | New or revised regulatory requirements | §5.6.2 g) |
| 11 | Training and competence — Validation of Training Plan 2026 | §6.2 |
| 12 | Resource needs | §5.6.3 + §6 |
| 13 | Validation of Non-product software list | §7.6 |
| 14 | Validation of suppliers list | §7.4 |
| 15 | Regulatory roadmap — H2 2026 | §5.6.2 g) |
| 16 | Management priorities — H2 2026 | §5.6.3 |
| 17 | Actions and decisions | §5.6.3 |
Executive summary
✅ What went well (January–April 2026)
- 4 external audits passed (BSI ISO 13485, ICON, ENS Applus, BSI Clinical Review)
- 2 internal audits completed with no significant findings
- BSI Surveillance: 5 minor NCRs closed 10 days ahead of deadline
- Quantificare CAPA: all findings (1 major + 9 minor) closed within deadline
- ENS certification: audit passed, 100% of security measures implemented
- 21 suppliers approved, IT security evaluation completed
- CEP and CER delivered to BSI on 30 March 2026 for CE marking under MDR
- MDR CE marking review: AI part ✅ approved, Technical part ✅ approved, Clinical part ⏳ pending
- ANVISA approval obtained (Brazil) — device registered and operational in Brazilian market
⚠️ Items requiring attention
- MDR Clinical review: pending BSI approval of the clinical part of the technical documentation
- JnJ client NCs (2): wrong psoriasis segmentation (R006001-110) and head anonymization issue (R006001-106) — reported April 2026 during UAT, CAPAs open
- UKRP contract (Apotech): PMS/Vigilance scope review — deadline 30 April (pending)
- ICON CAPA: submitted 10 April, awaiting client response
Results of audits — §5.6.2 a)
BSI ISO 13485 Surveillance Audit (27 Feb – 3 Mar 2026) ✅
Audit report ID: 30285725
Organization: AI Labs Group, S.L.
CAP submission deadline: 18 March 2026 (submitted: John.Gonzalez@bsigroup.com)
Result: 5 minor NCRs | 0 major | 0 critical — All closed on 8 March (10 days ahead of deadline).
| NCR | Finding Ref | ISO 13485 Clause | Finding | Status |
|---|---|---|---|---|
| 1 | 2780856-202603-N1 | 4.1.1 | EU 2024/1860, MDCG 2024-16 and UK PMS/Vigilance regulations not incorporated into QMS | ✅ Closed |
| 2 | 2780856-202603-N2 | 4.1.4 | No change control record for ISO 13485 certificate scope reduction (removal of facial palsy) | ✅ Closed |
| 3 | 2780856-202603-N3 | 8.2.1 / 8.2.4 | UK PMS and Vigilance regulations not addressed in post-market procedures | ✅ Closed (pending: UKRP contract review) |
| 4 | 2780856-202603-N4 | 4.2.3 / 7.2.3 | MDD Class I device file not fully maintained | ✅ Closed |
| 5 | 2780856-202603-N5 | 7.2.2 / 7.3.7 | IFU and labelling not validated against approved documentation | ✅ Closed |
Effectiveness checks due: 31 December 2026.
Conclusion: Audit passed successfully. All NCRs were corrected ahead of deadline, demonstrating rapid response capability. Corrective actions addressed gaps in regulatory monitoring (§4.1.1), change control (§4.1.4), post-market surveillance (§8.2.1), document control (§4.2.3), and design transfer verification (§7.3.7).
ICON Audit (16–20 Feb 2026) ✅
Audit ID: IA-10766
Audit type: Routine/Surveillance
Auditor: Mori Miharu, Principal Auditor, Technology Quality Assurance, ICON
CAPA reference: CAPA-ICON-2026-001
Result: 0 critical | 1 major | 1 minor | 1 other. CAPA response submitted 10 April — awaiting client review.
| Finding | Severity | Description | Status |
|---|---|---|---|
| AF-20551 | Major | SDLC/CSV deliverables for the clinical trial WebApp (PWA) not available as a consolidated auditable package | ⏳ CAPA submitted |
| AF-20553 | Minor | Technical documentation of the medical device not available at time of audit | ⏳ CAPA submitted |
| AF-20554 | Other | Document control process to be enhanced | ⏳ CAPA submitted |
Root cause (Major): The clinical trial WebApp was managed as a service delivery channel under GP-009 (Sales) rather than as a formal software component requiring dedicated SDLC/CSV documentation per ISO 13485 §7.3 (Design and development) and §4.2 (Documentation requirements).
Corrective action: New procedure SP-009-011 created — mandates standardized SDLC/CSV deliverables per clinical trial project with CRO involvement.
Quantificare Client Audit (6 Nov 2025) ✅
CAPA reference: CAPA-QF-2025-001
Result: 0 critical | 1 major | 9 minor — All closed.
- Major finding (#6): AI Development Report with missing performance results and dataset statistics → ✅ Closed (3 Feb 2026)
- 9 minor findings covering: customer communication timeframes, GCP risk analysis, training efficacy, supplier evaluation, SOUP management, audit logs, non-product software validation → ✅ All closed (17 Mar 2026)
Conclusion: All corrective actions implemented within deadlines. CAPA plan submitted to Quantificare.
Fortrea Client Audit (Jun 2025) ✅
Result: Audit completed. No significant findings reported.
ENS External Audit — Applus (9–13 Mar 2026) ✅
ENS certification audit passed. Auditor: Manuel Carrillo (Applus). Legit.Health has obtained the ENS (Esquema Nacional de Seguridad) certification, confirming compliance with Spanish national security framework requirements for information systems. The certificate has been issued following the successful completion of the external audit with no major findings.
BSI MDR CE Marking Review — Technical Documentation ✅ / ⏳
CEP and CER were delivered to BSI on 30 March 2026 for CE marking under MDR.
| Review area | Reference | Result |
|---|---|---|
| AI documentation | — | ✅ Approved |
| Technical documentation | — | ✅ Approved |
| Clinical documentation | R-TF-015-001 / R-TF-015-003 | ⏳ Pending BSI review |
Conclusion: The AI and Technical parts of the MDR review have been approved by BSI. The Clinical part (CEP/CER) remains under review. MDR Class IIb CE marking is expected once the clinical review is completed.
Internal audits
| Audit | Date | Auditor | ISO 13485 Reference | Status |
|---|---|---|---|---|
| ISO 13485 Internal Audit | 23 Feb 2026 | PS Consulting | §8.2.4 (Internal audit) | ✅ Completed |
| ENS Internal Audit | 26 Feb 2026 | Adrián Roo | — | ✅ Completed |
| ENS Supplier Security Evaluation | 26 Feb 2026 | Adrián Roo | §7.4 (Purchasing) | ✅ 5 IT suppliers approved |
Customer feedback and complaints — §5.6.2 b)
Feedback data from 2025–2026 collected through:
- Direct enquiries via email, phone and contact form (registered in HubSpot per GP-014)
- Client-reported non-conformities (tracked in Jira R-006-002)
Client-originated non-conformities
| Year | NC ID | Description | Client | Status |
|---|---|---|---|---|
| 2026 | R006001-110 | Wrong psoriasis segmentation | JnJ | ⏳ Open |
| 2026 | R006001-106 | Head anonymization issue (web) | JnJ | ⏳ Open |
Two client-originated NCs were reported by JnJ in April 2026 during Sponsor-led User Acceptance Testing. Both have triggered CAPAs (R006001-111 and R006001-107) which are currently open.
Customer satisfaction surveys (CSAT) and clinical utility surveys (CUS) were not implemented during 2025 due to the ongoing MDR transition process. The decision was made to postpone surveys until the new MDR-certified device is deployed. See Quality Objective 2025 #5 for details.
Action for 2026: Deploy CSAT and CUS surveys after MDR CE mark issuance (see Quality Objective 2026 #5).
Process performance and product conformity — §5.6.2 c)
Quality indicators
Quality indicators from R-002-003 will be reviewed during this meeting. Indicators cover the period 2021–2025.
Quality objectives 2025 — review (§5.4)
| # | 2025 Objective | Final status | Details |
|---|---|---|---|
| 1 | Certify the medical device under MDR | 🔄 Extended to 2026 (95%) | All CAPAs accepted by BSI. Corrective actions implemented. CE mark certificate expected Q2 2026. |
| 2 | Obtain regulatory clearance in new markets | 🔄 Extended to 2026 (60%) | Brazil ✅ (ANVISA approval). USA 🔄 ongoing (FDA pre-sub Q2 2026). Japan, Saudi Arabia, Switzerland ⏸️ on hold. |
| 3 | Enhance cybersecurity | ✅ Completed (100%) | Dmed project finalized. Penetration test executed. Cybersecurity docs created for FDA. Post-market monitoring implemented. |
| 4 | Strengthen technical documentation management across markets | ✅ Completed (100%) | Multi-market documentation structure established (EU, Brazil, USA). IFU management per country implemented. |
| 5 | Product meets customer expectations | 🔄 Extended to 2026 (0%) | Not initiated. Postponed due to MDR transition. Surveys to be deployed on MDR-certified product. |
Detailed analysis per objective
Objective 1 — Certify the medical device under MDR (Extended)
- Q4 2025: All corrective actions implemented and verified. BSI accepted CAPA Plan.
- CE mark certificate under MDR expected Q2 2026.
- Root cause: Extended regulatory process under BSI pilot trial scheme; external dependency on BSI certificate issuance.
- Impact: No impact on QMS effectiveness, product quality, or customer satisfaction.
- Related indicators: Design NCs (1 vs ≤5 ✅), Design inputs/outputs (100% vs ≥95% ✅), QMS NCs (2 vs ≤8 ✅).
Objective 2 — Obtain regulatory clearance in new markets (Extended)
- Brazil: ANVISA approval obtained ✅. Device registered and operational in market.
- USA: FDA process to start in June 2026. Step 1: Pre-submission (Q-Sub) meeting to validate 510(k) strategy using DermaSensor as predicate device and to validate clinical strategy (determine clinical data requirements). Step 2: Prepare and submit 510(k), planned for November 2026.
- Japan, Saudi Arabia, Switzerland: On hold — strategic prioritization toward MDR and FDA.
- Root cause: Deliberate resource allocation to MDR and FDA as highest-impact pathways.
- Related indicators: Incidents communicated (0 ✅), Vigilance/PMS NCs (0 ✅), Recalls (0 ✅), Regulatory submissions (1 vs ≥5 ❌).
Objective 3 — Enhance cybersecurity ✅ Completed
- All planned activities completed: Dmed project, penetration test, cybersecurity documentation, post-market monitoring.
- Related indicators: Data breaches (0 ✅), Infrastructure NCs (0 ✅).
Objective 4 — Strengthen technical documentation management ✅ Completed
- Multi-market documentation strategy implemented (EU, Brazil, USA).
- Related indicators: Design NCs (1 vs ≤5 ✅), Design inputs/outputs (100% ✅), QMS NCs (2 vs ≤8 ✅).
Objective 5 — Product meets customer expectations (Extended)
- 0% completion — strategic postponement until MDR-certified device deployed.
- Alternative feedback mechanisms active: support tickets, direct communication, clinical study feedback.
- Related indicators: Complaints (0 vs ≤10 ✅), Customer complaints (0 vs ≤5 ✅).
Quality objectives 2026 — approval (§5.4.1)
All 2026 quality objectives are currently in Planned status. The purpose of this meeting is to review and approve them.
Established 13 January 2026. All currently in DRAFT status pending approval:
| # | Objective | KPI / Target | Current status | Proposed action |
|---|---|---|---|---|
| 1 | Maintain MDR certification and regulatory compliance | Pass BSI audit without major NCRs; maintain EUDAMED | Planned | Approve |
| 2 | Consolidate regulatory presence in approved markets | Maintain EU/Brazil; FDA pre-sub + 510(k); reassess Japan | Planned | Approve |
| 3 | Continuous cybersecurity improvement | Annual penetration testing; continuous vulnerability monitoring | Planned | Approve |
| 4 | Strengthen technical documentation management | Multi-market documentation automation; periodic reviews | Planned | Approve |
| 5 | Product meets customer expectations | CSAT > 80%, CUS > 75% | Planned | Approve |
Details per objective (from R-002-002-2026 records)
Objective 1 — Maintain MDR certification and regulatory compliance
- Responsible: JD-005, JD-004
- Key actions: Address surveillance findings, maintain technical documentation, EUDAMED updates, annual surveillance.
- Q1 2026 progress: BSI surveillance passed (5 minor NCRs closed). CEP/CER delivered 30 March. AI + Technical reviews approved.
Objective 2 — Consolidate regulatory presence in approved markets
- Responsible: JD-005, JD-004
- Key actions: Maintain ANVISA registration (Brazil), execute FDA process (USA), reassess Japan/Saudi Arabia/Switzerland.
- FDA plan (starting June 2026):
- Pre-submission (Q-Sub) meeting — Validate 510(k) strategy using DermaSensor as predicate device and validate clinical strategy (determine how much clinical data needs to be submitted).
- Prepare and submit 510(k) — Target submission: November 2026.
Objective 3 — Continuous cybersecurity improvement
- Responsible: JD-005, JD-003, JD-004
- Key actions: Annual penetration testing, continuous vulnerability monitoring, SOUP review, cybersecurity training.
Objective 4 — Strengthen technical documentation management
- Responsible: JD-005, JD-003, JD-004
- Key actions: Maintain multi-market docs, automate workflows, periodic consistency reviews, train new members.
- Note: Extended from 2025 (completed in 2025, continuing for maintenance and automation).
Objective 5 — Product meets customer expectations
- Responsible: JD-016
- Key actions: Deploy quarterly CSAT, semi-annual CUS, implement customer feedback loop.
- Targets increased from 2025: CSAT >80% (was >75%), CUS >75% (was >70%).
Decision required
Are the 5 quality objectives for 2026 approved? Should any additional objectives be added?
Non-conformities and CAPAs — §5.6.2 d)
Overview
2025 — Non-conformities
| NC ID | Date | Category | Origin | Description | Status |
|---|---|---|---|---|---|
| R006001-98 | 2025-01-16 | QMS | BSI Audit | The frequency of updating the list of applicable regulations... | ✅ Closed |
| R006001-99 | 2025-01-16 | QMS | BSI Audit | The process to control externally originated documents... | ✅ Closed |
| R006001-104 | 2025-03-13 | Legit.Health Plus | BSI Audit | BSI NC Pilot program — MDR certification findings | ⏳ Open |
2025 — CAPAs
| CAPA ID | Date | Category | Origin | Linked NC | Description | Status |
|---|---|---|---|---|---|---|
| R006001-100 | 2025-01-16 | QMS | BSI Audit | R006001-98 | CAPA: Frequency of regulatory updates | ✅ Closed |
| R006001-101 | 2025-01-16 | QMS | BSI Audit | R006001-99 | CAPA: Control of externally originated documents | ✅ Closed |
| R006001-105 | 2025-03-13 | Legit.Health Plus | BSI Audit | R006001-104 | CAPA: BSI CE Mark process under NC Pilot program | ⏳ Open |
2026 — Non-conformities
| NC ID | Date | Category | Origin | Description | Status |
|---|---|---|---|---|---|
| R006001-103 | 2026-01-07 | Legacy (MDD) | Internal Development | API Infinite Loop — server-side memory issue | ✅ Closed |
| R006001-106 | 2026-04-21 | QMS | Client (JnJ) | Head anonymization issue in web application | ⏳ Open |
| R006001-110 | 2026-04-21 | QMS | Client (JnJ) | Wrong psoriasis segmentation | ⏳ Open |
2026 — CAPAs
| CAPA ID | Date | Category | Origin | Linked NC | Description | Status |
|---|---|---|---|---|---|---|
| R006001-102 | 2026-01-07 | Legacy (MDD) | Internal Development | R006001-103 | Correction of API server-side memory issue | ✅ Closed |
| R006001-107 | 2026-04-21 | QMS | Client (JnJ) | R006001-106 | CAPA: Head anonymization — UAT finding | ⏳ Open |
| R006001-111 | 2026-04-21 | QMS | Client (JnJ) | R006001-110 | CAPA: Wrong psoriasis segmentation — UAT finding | ⏳ Open |
External audit CAPAs (managed outside Jira)
| CAPA | Source | Deadline | Status |
|---|---|---|---|
| Quantificare (1 major + 9 minor) | Quantificare audit | 17 Mar 2026 | ✅ All closed |
| BSI CAP (5 NCRs) | BSI Surveillance 2026 | 18 Mar 2026 | ✅ Closed (8 Mar) |
| BSI marketing material | BSI (MDD) | Completed | ✅ Done |
| BSI NCR 3 — UKRP contract | BSI Surveillance 2026 | 30 Apr 2026 | ⏳ Pending |
| ICON CAPA (3 findings) | ICON audit | 10 Apr 2026 | ⏳ Under review |
| BSI effectiveness checks | BSI Surveillance 2026 | 31 Dec 2026 | 🗓️ Scheduled |
Summary
| Category | NCs (2025–2026) | Closed | Open | CAPAs (2025–2026) | Closed | Open |
|---|---|---|---|---|---|---|
| QMS | 4 | 2 | 2 | 4 | 2 | 2 |
| Legit.Health Plus | 1 | 0 | 1 | 1 | 0 | 1 |
| Legacy (MDD) | 1 | 1 | 0 | 1 | 1 | 0 |
| Total | 6 | 3 | 3 | 6 | 3 | 3 |
Conclusion: 3 of 6 NCs closed, 3 of 6 CAPAs closed. Open items:
- (1) R006001-104/105 — BSI NC Pilot program (MDR certification) — pending BSI clinical review
- (2) R006001-106/107 — JnJ head anonymization — UAT finding, CAPA open
- (3) R006001-110/111 — JnJ wrong psoriasis segmentation — UAT finding, CAPA open
- (4) UKRP contract review — was due 30 April
- (5) ICON CAPA — awaiting client response
- (6) BSI effectiveness checks — scheduled December 2026
Decision required
UKRP contract (Apotech): has the PMS/Vigilance scope review been completed? JnJ CAPAs (R006001-107, R006001-111): what is the plan and timeline for resolution?
Follow-up from previous management reviews — §5.6.2 e)
The 2025 management review was held on 13 January 2025 with Andy Aguilar, Taig Mac Carthy, Alfonso Medela, and Giulia Foglia.
QMS improvements identified in MR 2025
| # | Action | Status | Notes |
|---|---|---|---|
| 1 | FDA small business certificate renewal (Aug–Sep annually) | ✅ Done | Renewed. |
| 2 | Revise software requirements documentation for FDA compliance | ✅ Done | DHF restructured and migrated to GitHub (R-023-001_003). |
| 3 | Perform usability test (IEC 62366-1) for HCP and ITP in Europe | ⏳ In progress | Linked to MDR CE marking clinical review. |
| 4 | Perform usability test (IEC 62366-1 + FDA guidance) for HCP and ITP in USA | ⏳ In progress | Part of FDA pre-submission preparation. |
| 5 | Revise SP-012-001 Cybersecurity for FDA guidance | ✅ Done | Completed as part of Quality Objective 2025 #3. |
| 6 | Create cybersecurity records for FDA submission | ✅ Done | Dmed software project completed Q4 2025. |
| 7 | Revise DHF test plans/records for IEC 62304 compliance | ✅ Done | Part of QMS restructuring (R-023-001_005). |
| 8 | Create procedures for Japan, Saudi Arabia regulatory requirements | ⏸️ On hold | Markets deprioritized; focus on MDR + FDA. |
| 9 | Revise quality policy (applicable standards section) | 📅 Planned Sep 2026 | Quality policy review planned September 2026. |
Regulatory changes identified in MR 2025
| # | Action | Status | Notes |
|---|---|---|---|
| 1 | [USA] Create PCCP record for FDA submission | ✅ Done | GP-024 reassigned to PCCP (R-023-001_005). |
| 2 | [USA] Update GUDID requirements in GP-026 | ⏳ In progress | Part of FDA preparation. |
| 3 | [USA] UDI number assignation/management | ⏳ In progress | Part of FDA preparation. |
| 4 | [EU] Revise GP-015 Clinical evaluation for MDCG 2024-15 | ✅ Done | Updated as part of MDR transition. |
| 5 | [EU] Document Regulation 2024/1860 in GP-008 | ✅ Done | Incorporated during BSI NCR 1 corrective action. |
| 6 | [EU] Fill in EUDAMED modules when available | ⏳ Ongoing | Modules being filled as they become available. |
| 7 | [EU] Analyze AI Act (Regulation 2024/1689) requirements | ⏳ In progress | Impact assessment needed. |
Resource needs identified in MR 2025
| # | Action | Status | Notes |
|---|---|---|---|
| 1 | Hire Quality & Regulatory Manager | ✅ Done | Saray Ugidos appointed (R-023-001_006). |
| 2 | Hire Product Marketing, Project Manager, Account Manager, BD Director | ⏳ Partially | Some positions filled. |
| 3 | Hire Customer Success Specialist | ⏳ Pending | |
| 4 | Identify authorized representatives in Japan, Saudi Arabia, Switzerland | ⏸️ On hold | Markets deprioritized. |
Follow-up from 2024 MR actions (verified during 2025 MR)
| # | Action | Status |
|---|---|---|
| 1 | Supplier evaluation update | ✅ Done |
| 2 | Quality calendar update | ✅ Done |
| 3 | Small business renewal (FDA) | ✅ Done |
| 4 | Separate clinical investigation procedure | ❌ Deferred (low priority) |
| 5 | FDA QSR gap analysis | ❌ Deferred (new QSR effective Feb 2, 2026) |
| 6 | Regulatory strategy & roadmap | ✅ Done |
| 7 | PCCP creation | ✅ Done |
| 8 | AEMPS annual renewal | ✅ Done |
Changes that could affect the QMS — §5.6.2 f)
The following change control records have been documented:
| Record | Change name | Implementation date | Status |
|---|---|---|---|
| R-023-001_001 | Change in Person Responsible for Regulatory Compliance (PRRC) | 2025-01-07 | ✅ Implemented |
| R-023-001_002 | Change in documenting NC and CAPA (split templates) | 2023-03-04 | ✅ Implemented |
| R-023-001_003 | DHF migration from Confluence to GitHub | 2024-08-09 | ✅ Implemented |
| R-023-001_004 | Registration of medical device in Brazil (ANVISA) | 2024-12-15 | ✅ Implemented |
| R-023-001_005 | QMS restructuring for MDR transition and TF v1.1.0.0 | 2026-02-23 | ✅ Implemented |
| R-023-001_006 | New PRRC and QA/RA Manager (Saray Ugidos) | 2025-03-01 | ✅ Implemented |
| R-023-001_007 | Change of AEMPS Technical Responsible and PRRC (Alfonso → Taig) | June 2026 (est.) | ⏳ Pending AEMPS approval |
| R-023-001_008 | Reduction of ISO 13485 certificate scope (removal of facial palsy) | 2025-12-01 | ✅ Implemented (retroactive record, BSI NCR 2 corrective action) |
Key changes for discussion
R-023-001_005 — QMS restructuring for MDR transition (implemented 23 Feb 2026):
- 3 new procedures created: GP-028 (AI Development), GP-029 (Software Delivery), GP-030 (Cyber Security Management)
- 2 procedures reassigned: GP-024 (now PCCP), GP-025 (now Usability/Human Factors)
- 3 procedures substantially rewritten: GP-012, GP-013, GP-023
- 2 procedures simplified: GP-002, GP-005
- Document responsibility matrix reorganised from 9 to 14 groups
R-023-001_007 — Change of AEMPS Technical Responsible and PRRC (Alfonso → Taig):
- Estimated implementation: June 2026. Plan: submit notification to AEMPS, update manufacturer license, update org chart and quality manual.
Decision required
R-023-001_007: Confirm June 2026 as target date for AEMPS change completion.
New or revised regulatory requirements — §5.6.2 g)
| Regulation / Guidance | Update | Date | Impact on QMS |
|---|---|---|---|
| FDA QSR (21 CFR 820) | Harmonized with ISO 13485, effective 2 Feb 2026 | Feb 2026 | Verify alignment — action needed |
| EU 2024/1860 | MDR transitional provisions | 2024 | Already incorporated (BSI NCR 1 closure) |
| MDCG 2024-16 | Guidance on prevention/management of critical shortages | 2024 | Already incorporated (BSI NCR 1 closure) |
| UK PMS/Vigilance | Updated UK-MDR post-market regulations | 2025 | Already incorporated (BSI NCR 3 closure) |
| EU AI Act | Implementing acts published | 2025 | Impact assessment needed |
Training and competence — §6.2 — Validation of Training Plan 2026
The purpose of this agenda item is to validate and close the Training Plan 2026 (R-005-003-2026).
Training completed (2025–2026)
| Date | Training | Trainer | Trainees | Status |
|---|---|---|---|---|
| Oct–Nov 2025 | IEC 62304 — Medical device software lifecycle processes | Saray Ugidos | Gerardo Fernández, Alejandro Carmena | ✅ Done |
| Oct–Nov 2025 | IEC 82304 — Health software product safety | Saray Ugidos | Gerardo Fernández, Alejandro Carmena | ✅ Done |
| Oct–Nov 2025 | GP-012, GP-028, GP-029, GP-013 (QMS procedures) | Saray Ugidos | Alejandro Carmena | ✅ Done |
| Oct–Nov 2025 | GP-013 Risk management | Saray Ugidos | Jordi Barrachina, Gerardo Fernández | ✅ Done |
| Oct–Nov 2025 | GP-002, GP-019 | Saray Ugidos | Gerardo Fernández | ✅ Done |
| 23 Apr 2026 | Claude Code | Taig Mac Carthy | 20 people | ✅ Done |
The IEC 62304, IEC 82304 and QMS procedure trainings were conducted in October–November 2025 and have been retroactively included in the Training Plan 2025 (R-005-003-2025).
Training Plan 2026 — Upcoming sessions
| Planned date | Training | Provider / Trainer | Audience | Status |
|---|---|---|---|---|
| 18 May 2026 | GDPR and AI literacy, awareness and ethics | Audens | All staff (23) | 🗓️ Scheduled |
| 19 May 2026 | GDPR Compliance and Ethical AI in Product Development | Audens | 13 people | 🗓️ Scheduled |
| 21 May 2026 | GDPR and AI Ethics: Responsible Data Use in Business Growth | Audens | 12 people | 🗓️ Scheduled |
| 22 May 2026 | GDPR and AI Literacy for Operations and Compliance | Audens | 4 people | 🗓️ Scheduled |
| 15 Jun 2026 | ENS: Configuración segura de sistemas AWS y Google | Taig Mac Carthy / Gerardo Fernández | 7 people (ENS) | 🗓️ Scheduled |
| 17 Jul 2026 | Cybersecurity Awareness Training | JD-003 & JD-020 | All staff (23) | 🗓️ Scheduled |
| 15 Sep 2026 | ENS: Detección y reacción ante incidentes (CCN 817) | Taig Mac Carthy / Gerardo Fernández | 7 people (ENS) | 🗓️ Scheduled |
| 15 Nov 2026 | ENS: Gestión segura de información | Taig Mac Carthy / Gerardo Fernández | 7 people (ENS) | 🗓️ Scheduled |
Mandatory training per training matrix (§6.2): GDPR (annual), Cybersecurity (annual), QMS procedures (annual), Good Clinical Practice (every 3 years).
Next immediate action: GDPR/AI sessions the week of 18 May — ensure attendance.
Decision required
Is the Training Plan 2026 (R-005-003-2026) validated and closed?
Resource needs — §5.6.3 c) + §6
Suppliers evaluation — §7.4
- 21 suppliers currently approved (all evaluated per GP-010)
- ENS IT supplier security evaluation completed February 2026 (AWS, Atlassian, Google, Slack, Microsoft — all approved)
- Annual supplier evaluation planned: June 2026
Infrastructure — §6.3
Infrastructure status reviewed per GP-018. No significant changes reported.
Pending annual reviews
| Review | Planned date | Notes |
|---|---|---|
| External documents review | May 2026 | Partially completed (EU 2024/1860, MDCG 2024-16, UK PMS added in March) |
| Suppliers evaluation | June 2026 | 21 suppliers; IT security eval. already done |
| Quality policy review | September 2026 | Last updated: Q1 2025 |
Validation of Non-product software list — §7.6
Review and validate the current list of non-product software per GP-019. Confirm that all tools used in QMS and product development processes are included and their validation status is current.
Non-product software list to be reviewed during the meeting.
Validation of suppliers list — §7.4
Review and validate the current approved suppliers list per GP-010. Confirm that all active suppliers are evaluated and approved.
Suppliers list (R-010-001) to be reviewed during the meeting.
Regulatory roadmap — H2 2026
| Milestone | Planned date | Priority |
|---|---|---|
| MDR Clinical review (BSI) — pending | May–June 2026 | 🔴 High |
| FDA Pre-Sub (Q-Sub) meeting | June 2026 | 🔴 High |
| Small business certificate renewal (FDA) | Aug–Sep 2026 | 🟡 Medium |
| FDA 510(k) preparation | Jul–Oct 2026 | 🔴 High |
| FDA 510(k) submission | November 2026 | 🔴 High |
| BSI effectiveness checks | December 2026 | 🟢 Routine |
Management priorities — H2 2026
This section is reserved for Top Management input. The Quality Manager requests guidance from the General Manager and the management team on the following topics:
Questions to the management team
-
Strategic focus areas: Where should the Quality & Regulatory team focus their efforts for the remainder of 2026? How should we prioritize between:
- MDR clinical review follow-up (BSI)
- FDA 510(k) preparation and submission
- Open CAPAs resolution (JnJ findings)
- QMS continuous improvement
-
Resource allocation: Are additional resources (personnel, budget, external consultants) needed to meet H2 2026 objectives?
-
Market strategy: Should we continue to deprioritize Japan, Saudi Arabia, and Switzerland, or should any of these markets be reactivated?
-
Product roadmap alignment: Are there upcoming product changes or new features that will require QMS/regulatory support?
-
Risk appetite: What level of risk is acceptable regarding the MDR clinical review timeline? Should we engage external clinical consultants to accelerate?
Management feedback and decisions to be documented in the meeting minutes.
Outputs — Actions and decisions required (§5.6.3)
Per ISO 13485:2016 §5.6.3, the outputs of the management review shall include decisions and actions related to:
§5.6.3 a) Improvement needed to maintain suitability, adequacy and effectiveness of the QMS
| # | Action | Owner | Proposed deadline |
|---|---|---|---|
| 1 | Complete UKRP (Apotech) contract review — define PMS/Vigilance scope for UK | Saray Ugidos | Immediate |
| 2 | Follow up on MDR clinical review with BSI | Saray Ugidos + Alfonso Medela | May–June 2026 |
| 3 | Verify QMS alignment with new FDA QSR (21 CFR 820 harmonized) | Saray Ugidos | June 2026 |
| 4 | Assess EU AI Act impact on QMS | Saray Ugidos | June 2026 |
| 5 | Complete external documents review (R-TF-001-005) | Saray Ugidos | May 2026 |
§5.6.3 b) Improvement of product related to customer requirements
| # | Action | Owner | Proposed deadline |
|---|---|---|---|
| 6 | Deploy CSAT and CUS surveys after MDR CE mark issuance | JD-016 | Q2–Q3 2026 |
§5.6.3 c) Changes needed to respond to new or revised regulatory requirements
| # | Action | Owner | Proposed deadline |
|---|---|---|---|
| 7 | Approve quality objectives 2026 | Andy Aguilar | In this meeting |
| 8 | Document 2025 quality objectives final evaluation | Saray Ugidos | In this meeting |
| 9 | Validate and close Training Plan 2026 | Andy Aguilar | In this meeting |
| 10 | Validate Non-product software list | Saray Ugidos | In this meeting |
| 11 | Validate Suppliers list | Saray Ugidos | In this meeting |
| 12 | Plan suppliers evaluation | Saray Ugidos | June 2026 |
| 13 | Ensure attendance at GDPR/AI training sessions (18–22 May) | All | 18 May 2026 |
| 14 | Follow up AEMPS Technical Responsible change (R-023-001_007) | Saray Ugidos | June 2026 |
Decisions required in this meeting
- Quality objectives 2025 — evaluation: Are all 5 objectives marked with their final status?
- Quality objectives 2026 — approval: Are the 5 proposed objectives approved? (Change status from Planned to Approved.)
- Training Plan 2026 — validation: Is R-005-003-2026 validated and closed?
- Non-product software list — validation: Is the current list validated?
- Suppliers list — validation: Is the current approved suppliers list validated?
- MDR Clinical review: What is the expected timeline for BSI approval of the clinical part?
- UKRP contract: Has the PMS/Vigilance scope review been completed? (Deadline was 30 April)
- JnJ CAPAs: What is the plan and timeline for resolving the open client-originated NCs?
- Management priorities: Where should the QA/RA team focus for H2 2026?
- Quality policy: Is an update needed, or can it wait until the September review?
- Resource needs: Are additional personnel, tools, or budget required for H2 2026?
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & Person Responsible for Regulatory Compliance (PRRC)
- Approver: JD-001 General Manager