The AI Traceability Journal – November 2025
- Team Hoodin
- Nov 5
- 3 min read
Updated: Nov 12
The Compliance Matrix Isn’t Optional – Building a Defensible List of Applicable Requirements Theme: ISO 13485:2016 §4.2.1, §4.1.6 · MDR Annex II §4 · IVDR Annex II §4 · PRRC Oversight · FDA QMSR Alignment
Introduction
Most regulatory teams can show you a list of “applicable regulations and standards.”Far fewer can show how that list was built, why each item is included or excluded, and what process keeps it current.
In 2025, that’s a problem — and auditors know it.
The requirement to maintain a comprehensive, justified, and up-to-date list of applicable requirements is not new. But the enforcement bar is rising. Notified bodies and regulators now expect traceability from requirement to evidence — across product type, intended market, and risk classification.
This issue offers a framework for building a defensible Applicable Requirements System — and how digitalisation enables it to stay accurate, justifiable, and auditable.
Symptoms of a Weak Compliance Matrix
Symptom | What It Looks Like | Why It Fails |
Static list in a spreadsheet | No versioning, no justification, no reviewer | Can’t prove decisions or updates |
“Copy-paste” lists from other products | Same matrix used for Class IIa and Class III device | Misaligned with product risk and scope |
Fragmented ownership | RA owns MDR, QA owns ISO, Engineering owns the rest | No single point of traceability |
No linkage to product attributes | Device-specific standards missing; irrelevant ones included | Matrix is not defensible under review |
No monitoring process | No alerts, reviews, or updates logged | Can’t demonstrate ongoing control |
The 5-Part Framework for a Defensible Compliance Matrix
1. Structure Your List by Denominators
Break the matrix into:
Regulations
Standards
Guidance & CS
Market-specific laws
Tag each entry with:
Product type
Risk class
Region/market
Company vs. product scope
In a structured system, these tags are generated dynamically from your product profile, ensuring the matrix evolves as your market scope changes.
2. Justify Each Entry
For each requirement:
Why is it applicable (based on product attributes)?
If not applicable, why?
Who approved it?
When was it last reviewed?
Using an AI-supported platform, justification fields can be standardised — with templates prompting the reviewer for rationale, reviewer name, and timestamp.
3. Link Requirements to Evidence
Create traceability from each entry to:
QMS procedures
Technical file sections
Labelling
Clinical and PMS plans
Change records
A digital environment allows you to link each requirement directly to controlled documents and evidence locations — creating a live, auditable chain.
4. Enable Version Control & Audit Trail
Each update (added/removed/updated requirement) must be logged
Justify the change
Timestamp and reviewer signature
In a compliance platform, this process is automated — each change is timestamped, versioned, and linked to the user who approved it.
5. Build a Live Monitoring Layer
Use a system that actively monitors regulatory, standards, and guidance updates
Each signal must lead to a review decision: update, no impact, or escalation
Review frequency should be tied to risk class and market complexity
In Hoodin, this monitoring layer is already operational — automatically linking regulatory changes to your applicable list and prompting users to justify actions.
AI Prompt of the Month: Build a Justification Log Template
“Act as a regulatory strategist. Generate a template for a compliance matrix justification log including the following fields: Requirement Applicability (Yes/No) Justification based on product attributes Linked evidence/document reference Reviewer name and review date Status (Reviewed / Pending / Updated).”
Use this as a foundation to structure your own digital log or import into your compliance tool.
Conclusion
Your compliance matrix is no longer a reference document — it’s the foundation of regulatory defensibility. It must reflect product context, regulatory scope, and your organisation’s risk posture , with justifications, traceability, and ongoing control.
When built into a connected system, every change becomes traceable, every decision justifiable, and every audit defensible.
Ready to move from a static spreadsheet to a defensible compliance system? Join our exclusive and free 2 hour program here to explore the 5-Part Framework for Applicable Requirements.
