Article 17 — Quality Management System
Article 17 requires providers to put a documented quality management system in place ensuring compliance with the regulation. The QMS must cover compliance strategy, design control, testing, data management, risk management, and accountability.
Art. 17(1)(a)
Strategy for regulatory compliance including modification management
Cascade invalidation is the modification management system. Any change triggers automatic re-evaluation of all affected compliance artifacts. ARTIFACT_STALE_SET events prove modifications were detected and managed.
Art. 17(1)(b)
Design, design control and design verification techniques
Phase gates enforce design-before-verification sequence. Freeze-on-advance locks design before implementation. The change control process manages design changes through the pipeline.
Art. 17(1)(c)
Development, quality control, quality assurance techniques
QA_REPORT requires GO status for gate passage. Test scope tracking ensures adequate coverage. Security review provides independent quality verification of the implementation.
Art. 17(1)(d)
Examination, test and validation procedures before, during and after development
Pipeline phases enforce testing at multiple points: IMPLEMENTATION, QA_EXECUTION, PRE_DEPLOY_REVIEW, and POST_DEPLOY_VALIDATION. Each phase has specific gate requirements.
Art. 17(1)(f)
Data management systems and procedures
Comprehensive data management documentation covering data acquisition, collection, analysis, labelling, storage, processing pipeline, and retention policies.
Art. 17(1)(k)
Record-keeping systems and procedures
Every action produces an immutable, hash-chained event. The audit chain is the record-keeping system. Integrity is verifiable via cryptographic hash chain verification.
Art. 17(1)(m)
Accountability framework
Role-to-artifact ownership mapping is enforced by the engine. Each agent can only submit artifacts they own, during their active phases. Unauthorized submissions are rejected and logged as capability violations.