For quality engineers, validation specialists, and smaller device companies who want compliance clarity without the hype.
There is a particular kind of fatigue settling over the medical device quality community. Every vendor, every conference keynote, every LinkedIn post insists that AI will transform your quality system. Meanwhile, your team is trying to figure out whether your corrective action procedure actually satisfies ISO 13485 clause 8.5 before the next audit.
AI might help with that question. But it is not the only way to answer it, and for many companies it is not even the best starting point.
QAtrial v3.0 ships with an ISO 13485:2016 compliance assessment that works in two modes: a keyword-based static analysis that requires no AI, no API key, and no internet connection — and an AI-powered deep analysis for teams that want to go further. This article explains both approaches, when each makes sense, and why starting without AI might be the smarter move.
The Traditional Approach: Expensive, Slow, and Opaque
ISO 13485 compliance assessment has traditionally been a consultant-driven process. A quality consulting firm sends one or two auditors to your facility for three to five days. They review your quality manual, interview process owners, sample records, and produce a gap report. The engagement costs between $10,000 and $50,000 depending on company size, and the report arrives two to four weeks later.
The report is valuable, but it is a snapshot. The moment you update a procedure or add a requirement, the assessment is stale. Running another engagement costs another $10,000. Most companies settle for annual assessments and hope nothing drifts too far between cycles.
This model is especially punishing for smaller companies — the 10-person device startup that needs to demonstrate ISO 13485 compliance for their first 510(k) submission but cannot justify a $30,000 consulting engagement.
KYOCERA ECOSYS MA4500ix Multifunctional Monochrome Laser Printer (Print/Copy/Scan), 47 ppm, Up to Fine 1200 dpi, Gigabit Ethernet 7 inch Touchscreen Panel, 512 MB
VERSATILE: Copy/Scan/Print BW Laser All-in-One Printer
As an affiliate, we earn on qualifying purchases.
QAtrial’s Static Assessment: 27 Clauses, Zero AI
QAtrial’s keyword-based assessment covers all 27 clauses of ISO 13485:2016, organized into five sections:
Section 4: Quality Management System (6 clauses)
- 4.1 General requirements — QMS establishment, documentation, continual improvement
- 4.2.1 Documentation general — Quality policy, objectives, documented procedures
- 4.2.2 Quality manual — Scope, documented procedures, process interaction
- 4.2.3 Medical device file — Technical file per device type/family (criticality: critical)
- 4.2.4 Control of documents — Approval, review, version control, obsolescence
- 4.2.5 Control of records — Identification, storage, retrieval, retention, disposition
Section 5: Management Responsibility (6 clauses)
- 5.1 Management commitment — Leadership evidence, resources, communication
- 5.2 Customer focus — Customer and regulatory requirements determination
- 5.3 Quality policy — Appropriateness, commitment to comply, communication
- 5.4 Planning — Quality objectives, QMS planning
- 5.5 Responsibility, authority, communication — Org chart, management representative
- 5.6 Management review — Inputs (audit results, CAPA status), outputs (improvement actions)
Section 6: Resource Management (4 clauses)
- 6.1 Provision of resources — Resource determination and allocation
- 6.2 Human resources — Competence, training records, qualification
- 6.3 Infrastructure — Facilities, equipment, maintenance
- 6.4 Work environment — Contamination control, cleanroom, environmental monitoring
Section 7: Product Realization (6 clauses)
- 7.1 Planning — Quality plan, processes, resources, V&V criteria
- 7.2 Customer-related processes — Requirements determination, contract review
- 7.3 Design and development — The big one: inputs, outputs, review, V&V, transfer, changes, DHF (criticality: critical)
- 7.4 Purchasing — Supplier evaluation, incoming inspection, approved supplier list
- 7.5 Production and service provision — Process validation, traceability, sterilization, UDI (criticality: critical)
- 7.6 Monitoring and measuring equipment — Calibration, measurement records
Section 8: Measurement, Analysis and Improvement (5 clauses)
- 8.1 General — Statistical techniques, data analysis planning
- 8.2 Monitoring and measurement — Internal audit, complaints, adverse events, vigilance (criticality: critical)
- 8.3 Control of nonconforming product — NCR, deviation, rework, concession (criticality: critical)
- 8.4 Analysis of data — Trend analysis, KPIs, performance indicators
- 8.5 Improvement — CAPA procedures, root cause, effectiveness checks (criticality: critical)
B btransfer A3 DTF Printer Bundle with Cutter Automatic Slef-Maintenance,Screen Touch Panel DTF Dryer Powder Shaker for Tshirt Heat Transfer Printing,(Printer+Laptop+Shaker+Bracket+Consumables)
✅ 【All-in-One DTF Bunble】-M1630 pro DTF printer + A3 shaker & dryer machine + Portable stand ,Space-saving, portable,...
As an affiliate, we earn on qualifying purchases.
How the Keyword Matching Works
Each clause in QAtrial’s registry has a curated set of keywords. These are not random terms — they are the specific vocabulary that ISO 13485 uses and that well-written requirements typically echo.
For example, clause 7.3 (Design and Development) has these keywords: design control, design input, design output, design review, design verification, design validation, design transfer, design change, design history, dhf, v&v.
When you run the assessment, QAtrial concatenates each requirement’s title and description into a single text string, converts it to lowercase, and checks how many clause keywords appear in that text. If a keyword matches, the requirement is associated with that clause.
The scoring logic:
- 2+ matched requirements = “covered” (green)
- 1 matched requirement = “partial” (yellow)
- 0 matched requirements = “gap” (red)
This is deliberately conservative. A single requirement matching a clause gets “partial” rather than “covered” because ISO 13485 clauses typically require multiple documented controls. Having one requirement that mentions “calibration” does not mean your clause 7.6 obligations are fully addressed — you probably also need a calibration procedure, a calibration schedule, and record retention requirements.
Brother Professional Laser Printer All-in-One with Scanner and Copier, High-Speed 50 ppm Monochrome Printing, Wireless Network Ready, Dual-Band WiFi, Auto 2-Sided Print (MFC-L5915DW)
FAST BUSINESS PRINTING AND COPYING: The Brother MFC-L5915DW business monochrome laser all-in-one printer delivers high-quality output and print...
As an affiliate, we earn on qualifying purchases.
Criticality Levels: Not All Gaps Are Equal
QAtrial assigns a criticality level to each clause: critical, high, medium, or low. This matters because a gap in clause 8.5 (CAPA) is a fundamentally different audit risk than a gap in clause 5.3 (Quality Policy).
The critical clauses are:
- 4.1 General QMS requirements
- 4.2.3 Medical device file
- 7.3 Design and development
- 7.5 Production and service provision
- 8.2 Monitoring and measurement (complaints, vigilance)
- 8.3 Control of nonconforming product
- 8.5 CAPA
These are the clauses that generate the most FDA 483 observations and Notified Body findings. A gap in any of these should be your first priority.
High-criticality clauses include documentation controls (4.2.4, 4.2.5), management review (5.6), human resources and training (6.2), purchasing/supplier qualification (7.4), and data analysis (8.4). Medium-criticality clauses cover management commitment, quality policy, planning, and resource management.
The assessment view displays these criticality badges next to each clause, so you can immediately see which gaps demand urgent attention and which can be scheduled for the next quarter.
Brother MFC-L6810DW Enterprise Monochrome Laser All-in-One Printer, Large Paper Capacity, Wireless Networking, Advanced Security Features, and Duplex Print, Scan, and Copy, Works with Alexa
FAST BUSINESS PRINTING AND COPYING: The Brother MFC-L6810DW enterprise monochrome laser all-in-one printer delivers high-quality output and print...
As an affiliate, we earn on qualifying purchases.
The Privacy Argument
Here is something that gets overlooked in the rush to add AI to everything: the static assessment runs entirely in your browser. QAtrial is a client-side application. When you run the keyword-based gap assessment, the matching happens in JavaScript on your machine. Your requirements, your quality data, your gap results — none of it leaves your network.
For companies in regulated industries, this is not a minor point. Pharmaceutical and medical device companies have data classification policies. Quality system documentation often contains proprietary manufacturing processes, design specifications, and supplier information. Sending that data to a cloud API — even an encrypted one — requires security review, vendor qualification, and often legal approval.
The static assessment sidesteps all of that. Install QAtrial, load your requirements, run the assessment. Your IT security team has nothing to review because no data goes anywhere.
The “+ Req” Button: From Gap to Requirement in One Click
Finding gaps is useful. Closing gaps is what matters.
Every clause in the assessment that shows “partial” or “gap” status has a “+ Req” button. Click it, and QAtrial generates a new requirement pre-populated with:
- A title derived from the clause (e.g., “ISO 13485 Section 8.5 — Corrective and Preventive Action Procedure”)
- A description based on the clause’s requirements
- The regulatory reference (ISO 13485:2016 Section X.X)
- A risk level derived from the clause’s criticality rating
- Tags linking the requirement to the specific clause
You review, customize, and save. The requirement enters your project’s standard lifecycle — draft, review, approval. The next time you run the assessment, that clause moves from “gap” to “partial” or “covered.”
This is the workflow that makes self-assessment practical for small teams. You do not need a consultant to tell you what requirements to write. The clause registry already knows what ISO 13485 expects. You need a quality engineer who understands your specific processes to fill in the details.
When AI Adds Value
The static assessment is powerful for what it does, but it has inherent limitations. Keyword matching is literal. It cannot interpret intent.
Consider a requirement titled “Incoming Material Inspection Procedure” with the description “All incoming materials shall be inspected or verified against purchase specifications before use in production.” This clearly addresses part of clause 7.4 (Purchasing) — specifically verification of purchased product. But if the keywords for 7.4 are purchasing, supplier, vendor, supplier evaluation, supplier qualification, incoming inspection, approved supplier, the static matcher picks it up on “incoming inspection.”
Now consider a requirement titled “Component Acceptance Protocol” with the description “Components received from qualified vendors shall undergo dimensional and functional testing per approved acceptance criteria before release to manufacturing.” This addresses the same clause, but it does not use any of the 7.4 keywords. The static matcher misses it.
AI does not miss it. When you switch to AI mode, QAtrial sends your requirements along with the full clause descriptions to the LLM. The AI understands that “components received from qualified vendors” relates to purchasing controls, that “acceptance criteria” relates to verification of purchased product, and that “release to manufacturing” implies a documented incoming inspection process.
AI mode also provides recommendations that go beyond keyword detection. For a clause marked as “partial,” the AI might note: “Your design verification requirement covers unit testing but does not address system-level verification or verification of design outputs against design inputs. Consider adding a requirement for integration testing and a design output review checklist.”
Choosing Your AI Provider
For companies ready to use AI mode, QAtrial v3.0 offers five provider presets:
- Anthropic (Claude): Best for regulatory precision and structured analysis. Temperature set to 0.2 for deterministic output.
- OpenAI (GPT-4.1): Fast and widely supported. Good for high-throughput analysis.
- OpenRouter: Access to 200+ models through a single API. Pay per token with no subscription.
- Ollama (Local): Run Llama 3.1, Qwen, Mistral, or DeepSeek locally. No API key needed. No data leaves your machine.
- LM Studio (Local): Desktop-friendly local inference with whatever model you have loaded.
The local options deserve emphasis. If your company’s security policy prohibits sending quality data to external APIs, you can run QAtrial with Ollama on the same machine or the same network. You get AI-powered gap analysis with zero data exfiltration risk. The trade-off is that local models (especially smaller ones like Llama 3.1 8B) may not match the analytical depth of Claude or GPT-4.1 on complex regulatory questions. But for many gap assessment scenarios, they are more than adequate.
The Recommended Path
If you have never assessed your ISO 13485 compliance: Start with the static assessment. It takes minutes, costs nothing, and gives you a baseline readiness score with clause-by-clause visibility. Use the “+ Req” buttons to generate requirements for your critical gaps. Get to 70%+ coverage before thinking about AI.
If your static assessment shows 70%+ coverage and you want deeper analysis: Configure an AI provider (cloud or local) and run the AI assessment. It will find the gaps that keyword matching missed and provide specific recommendations for strengthening partial clauses.
If you are preparing for an external audit: Run both. The static assessment gives you the objective, repeatable baseline. The AI assessment adds the nuanced analysis that helps you anticipate auditor questions. Together, they replace what a $30,000 consulting engagement used to deliver.
If you have strict data sovereignty requirements: Use the static assessment for your initial analysis (zero data leaves the browser), then set up Ollama locally for AI-powered follow-up. You get both modes with complete data control.
The Bigger Picture
The ISO 13485 gap assessment is one feature of QAtrial v3.0, but it reflects a broader design philosophy: regulatory compliance tools should be accessible, transparent, and adaptable. Accessible means they work without expensive subscriptions or mandatory AI dependencies. Transparent means you can inspect the logic — every keyword set, every matching algorithm, every scoring threshold is in the open-source code. Adaptable means you can extend them — add keywords, adjust criticality ratings, customize clause descriptions for your specific regulatory context.
AI is a powerful complement to this foundation. But the foundation stands on its own. You do not need AI to assess your ISO 13485 compliance. You need a systematic, clause-by-clause review of your quality system against the standard’s requirements.
QAtrial gives you that, for free, in your browser, in minutes.
The AI is there when you are ready for it.
QAtrial is open-source software licensed under AGPL-3.0. The ISO 13485 gap assessment is a compliance support tool, not a substitute for professional regulatory guidance. All 27 clause definitions and keyword sets are available for review in the source code at github.com/MeyerThorsten/QAtrial.
