Think about the last time someone on your quality team used an AI tool to draft a CAPA summary, pull highlights from a complaint record, or search across your SOP library for a specific procedure. That interaction produced output that likely influenced a regulated quality decision. Under ISO 13485, the software behind that interaction requires documented validation evidence.
Most medical device companies have not yet caught up to this. Until recently, teams answered audit questions about AI by saying they did not use AI tools in their QMS workflows. Notified body auditors and regulatory consultants report that answer is becoming harder to sustain. AI tools are present in MedTech quality environments whether or not the QMS formally acknowledges them, and auditors are increasingly aware of it.
The good news is that ISO 13485 does not require exhaustive validation of every AI feature. It requires proportionate, documented validation based on the risk of how the tool gets used. Understanding what that means in practice is the difference between a prepared audit response and a non-conformity finding.
Drafting or revising QMS procedures, SOPs, or work instructions. Summarizing complaint records or adverse event reports. Generating content for clinical evaluation reports or post-market surveillance summaries. Producing CAPA investigation summaries. Answering questions about quality documentation during an audit or inspection. Any AI output that contributes to documented quality evidence or influences a regulated decision falls within Clause 4.1.6’s scope.
What Clause 4.1.6 actually requires
ISO 13485:2016 Clause 4.1.6 states plainly that any computer software used in the quality management system shall be validated before use. The specific approach and validation activities shall be proportionate to the risk associated with the use of the software.
“Computer software used in the quality management system shall be validated before initial use and, as appropriate, after changes to such software or its application. The specific approach and activities associated with software validation and revalidation shall be proportionate to the risk associated with the use of the software.”
The clause does not distinguish between traditional QMS platforms and AI tools. The defining test is whether the software’s output contributes to documented evidence, supports quality decisions, or influences product compliance outcomes. AI tools that meet that test require validation documentation before your quality team relies on them.
The proportionality principle provides real flexibility. An AI tool whose output feeds directly into a technical file or batch record sits at the high end of the risk scale and requires rigorous documented validation. A tool that generates draft content reviewed and approved by a qualified person before entering any controlled record carries lower risk. The standard does not tell you what validation looks like in either case. It requires you to document a risk-based rationale for why your chosen validation depth matches the identified risk.
Gaps in that rationale, rather than technical failures in the AI tool itself, generate most audit findings. An auditor who asks for AI validation documentation and finds none can raise a non-conformity quickly. A documented risk-proportionate strategy is significantly harder to challenge.
The outsourced process problem cloud AI creates
Beyond Clause 4.1.6, cloud AI tools create a second compliance question under Clause 4.1.5, which governs outsourced processes affecting product conformity.
“Where an organization chooses to outsource any process that affects product conformity to requirements, the organization shall maintain responsibility for conformity to this International Standard and to customer and applicable regulatory requirements for the outsourced processes. The organization shall apply a risk-based approach to the control of the outsourced processes, and shall determine the controls necessary.”
When your quality team submits a complaint record, CAPA documentation, or clinical evaluation content to a cloud AI platform, that material transits to infrastructure you do not own or manage. Under Clause 4.1.5, that is an outsourced process. Your QMS must define the controls over it, document the oversight arrangements, and maintain responsibility for ensuring the outsourced process meets applicable requirements.
In practice, this means cloud AI vendors become part of your quality system perimeter. Written agreements, vendor qualification documentation, and ongoing oversight arrangements all require management. Your quality team holds responsibility for what happens to your documentation inside a system you cannot audit independently.
MedTech regulatory consultancy MD Squared reports that notified body auditors are beginning to raise findings with language such as: “Validation of AI tools was not evaluated in accordance with Section 4.1.6.” The firm notes that an absence of risk-based justification gives auditors clear grounds for non-conformities, while proportional validation backed with objective risk analysis “is significantly harder to challenge.”
The three scenarios where risk escalates
Proportionate validation requires understanding where AI use carries the most compliance risk in your quality system. Three scenarios reliably sit at the higher end of the scale.
Summarizing without source review. When an AI tool condenses a clinical literature source, complaint narrative, or post-market surveillance report, and no qualified person reviews the original source before that summary enters a controlled document, the organization loses a critical verification layer. ISO 13485 Clause 4.2 requires document review and approval by personnel with appropriate expertise. AI-generated summaries accepted without source-level review bypass that control.
Generating content for technical files or CERs. Clinical evaluation reports and technical files submitted for EU MDR and IVDR notified body review must meet specific content requirements under applicable harmonized standards. AI tools contributing to those documents require validation evidence demonstrating that the tool performs accurately and consistently for the intended use. A vendor’s data sheet does not satisfy this requirement. Your own intended-use validation does.
Answering questions during audits or inspections. Quality and regulatory staff increasingly query AI tools when preparing for or responding during notified body audits and FDA inspections. When that AI output shapes how your team answers investigator questions, the accuracy and traceability of the tool’s responses becomes a direct quality system integrity issue. The tool needs to answer from your own controlled documentation, with answers your team can independently verify.
What a proportionate validation record covers
ISO 13485 does not prescribe a specific validation format. A defensible validation record for an AI tool used in a QMS context should document the intended use of the tool within your quality system, the risk assessment for that specific use based on potential impact on product safety and regulatory evidence integrity, the verification approach selected and the rationale for why it matches the identified risk, test cases and acceptance criteria appropriate to the risk level, test results and a conclusion on adequacy, and the review and approval signatures of qualified personnel.
For a tool whose output undergoes qualified human review before entering any controlled record, the validation record may be relatively concise. For a tool producing content that enters technical files or influences batch release decisions, the record requires proportionately more depth. The common thread is documented rationale — your reasoning for why the validation approach fits the risk.
The on-premises answer
On-premises AI running inside your organization’s own quality-controlled infrastructure addresses both compliance questions simultaneously. Clause 4.1.5 does not apply because no quality data leaves your controlled environment — there is no outsourced process to define and manage. Validation documentation, access controls, and human review oversight all exist within the same quality management system framework your team already manages for your other QMS software.
Your AI tool answers questions from your own controlled documentation — your specific SOPs, your CAPA records, your validation protocols, your complaint history. The answers trace back to sources your team owns and can verify independently. When a notified body auditor asks about the AI system’s validation status, your quality team answers from your own records.
Validation is still required. Clause 4.1.6 applies to any QMS software regardless of where it runs. The difference is that your team performs and controls every element of that validation rather than managing a vendor relationship to verify controls you cannot independently audit.
Map every AI tool currently used by your quality and regulatory team against QMS workflows. Classify each use by risk level based on how directly AI output influences regulated quality decisions. Complete proportionate validation documentation before the tool contributes to any controlled record. Address Clause 4.1.5 requirements in writing for any cloud-based AI tool that processes quality documentation. Ensure qualified human review procedures cover all AI-generated content before it enters controlled documents. If the tool runs inside your own infrastructure, verify that your existing QMS software controls extend to cover it.