← Back to Field Notes

March 28, 2026 · The Bloomfield Team

What Medical Device Manufacturers Need to Know About AI Validation

Medical device manufacturing operates under one of the most prescriptive regulatory frameworks in any industry. FDA 21 CFR Part 820 (the Quality System Regulation) requires that any software used in production or quality systems must be validated for its intended use. ISO 13485 adds an international layer with similar requirements. For manufacturers selling into the EU, the Medical Device Regulation (MDR 2017/745) introduced additional software validation and documentation demands.

When a medical device manufacturer considers deploying an AI tool, the first question from the quality team is always the same: how do we validate this? The answer determines whether the project moves forward or stalls indefinitely in regulatory review. Getting the validation approach right at the start is the difference between an AI tool that passes audit and one that becomes an expensive shelf ornament.

What Validation Means for AI in This Context

Software validation under FDA guidance (General Principles of Software Validation, 2002) and ISO 13485 Section 4.1.6 means establishing documented evidence that a system consistently produces results meeting predetermined specifications and quality attributes. For traditional software, this is well-understood: you define requirements, verify the software meets them, and document the results through Installation Qualification (IQ), Operational Qualification (OQ), and Performance Qualification (PQ).

AI introduces a complication. A traditional software function produces the same output for the same input every time. An AI model may produce different outputs based on its training data, its version, and in some architectures, the specific sequence of queries preceding a given input. The validation framework must account for this variability while still demonstrating that the system produces reliable, consistent results within defined parameters.

The practical approach that FDA reviewers and ISO auditors currently accept treats AI tools as decision-support systems operating within a validated process. The AI produces recommendations or analyses. The qualified human makes the decision. The validation demonstrates that the AI's recommendations fall within acceptable accuracy ranges for the specific use case, and the process documentation makes clear that the human authority for each decision is defined.

Risk Classification Determines Validation Depth

Not every AI application in a medical device manufacturing facility carries the same validation burden. The risk-based approach required by both FDA and ISO 13485 means the depth and rigor of validation scale with the risk the software introduces to product quality and patient safety.

Low risk: business operations. AI tools used for quoting, sales forecasting, or supplier management in a medical device company require minimal validation because they do not influence product quality. These tools operate outside the QMS scope for product-related processes. Standard IT change management procedures apply, but the full IQ/OQ/PQ protocol is not required. This is where most medical device manufacturers should start their AI adoption, because the regulatory burden is minimal while the operational improvements from faster quoting and better data analysis deliver immediate value.

Medium risk: quality system support. AI tools that analyze NCR data, predict quality trends, or assist with CAPA investigations support the quality system but do not make quality decisions. These require documented validation that the AI's outputs are accurate and reliable, with defined acceptance criteria. A quality prediction tool that analyzes dimensional inspection data should be validated against a set of known outcomes: given these 200 historical inspection records, does the model correctly identify the 14 parts that failed subsequent functional testing? The acceptance criteria might be 85% sensitivity with fewer than 5% false positives. The validation is rigorous but manageable.

High risk: production process influence. An AI tool that determines inspection sampling rates, recommends process parameter adjustments, or influences accept/reject decisions on product lots carries the highest validation burden. These applications require full IQ/OQ/PQ documentation, prospective validation with predefined protocols, and ongoing monitoring to confirm continued performance. The tool must be treated as a controlled element of the quality system, with change control applied to any updates to the model, training data, or interface.

The Validation Documentation Package

For medium and high-risk AI applications, the validation documentation follows a structure that FDA inspectors and ISO auditors expect to see.

Validation Plan. Defines the scope of the AI system, its intended use within the quality system, the acceptance criteria for each validation test, the roles and responsibilities for validation activities, and the risk assessment that determined the validation approach. This document is reviewed and approved before validation testing begins.

Requirements Specification. Documents what the AI tool must do, in specific and testable terms. For a quoting tool: "The system shall retrieve and rank historical jobs by similarity to the input RFQ, with ranking accuracy validated against expert estimator judgment on a minimum of 50 test cases." For a quality prediction tool: "The system shall identify jobs with elevated defect risk with a sensitivity of 80% or greater and a false positive rate below 10%, validated against a minimum of 200 historical job outcomes."

Installation Qualification (IQ). Verifies that the AI system is installed correctly in the production environment. Server configurations match specifications. Database connections are established and functional. User access controls are configured per the security requirements. The system version deployed matches the version that was tested.

Operational Qualification (OQ). Tests the AI system against its requirements specification using predefined test cases with known expected outcomes. This is where the AI's accuracy, reliability, and performance are measured against the acceptance criteria. For a quoting tool, OQ might include running 75 historical RFQs through the system and comparing its job-similarity rankings against the rankings produced by the senior estimator. For a quality prediction tool, running 300 historical inspection datasets and measuring prediction accuracy against actual outcomes.

Performance Qualification (PQ). Demonstrates that the AI system performs reliably under actual operating conditions, with real users, real data, and real-time constraints. This is typically a monitored period of 30 to 90 days where the system operates alongside existing processes. Users document any discrepancies between AI recommendations and their own assessments. Performance metrics are tracked continuously.

Validation Report. Compiles the results of IQ, OQ, and PQ testing, compares results against acceptance criteria, documents any deviations and their resolution, and concludes with a determination of whether the system is validated for its intended use. This report is the document an FDA inspector will ask for.

21 CFR Part 11 Compliance

If the AI system creates, modifies, or maintains electronic records that are part of the quality system, 21 CFR Part 11 applies. This regulation governs electronic records and electronic signatures, and it adds specific technical requirements.

Audit trails that record who accessed the system, what data was viewed or modified, and when. These trails must be computer-generated and cannot be modified by the user. For an AI tool, this means every query, every recommendation generated, and every user action on that recommendation is logged.

Electronic signatures that are linked to their respective electronic records and include the printed name of the signer, the date and time of the signature, and the meaning of the signature (review, approval, responsibility). If the quality engineer approves a CAPA action based on AI-generated trend analysis, that approval must be captured as a compliant electronic signature.

System access controls that limit access to authorized individuals and maintain records of authorized users. The AI tool must enforce role-based access, with quality engineers having different access levels than production operators or estimators.

Practical Implementation for Contract Manufacturers

Contract medical device manufacturers, the shops that machine orthopedic implants, turn surgical instrument components, or mold plastic housing assemblies, face a specific dynamic. They must maintain their own ISO 13485 quality system, and their OEM customers audit that system regularly. An AI tool deployed without proper validation becomes an audit finding not only for the registrar but for every customer who performs a supplier audit.

The practical path for contract manufacturers follows three stages.

Stage 1: Non-QMS applications. Deploy AI for quoting, production scheduling, and tribal knowledge capture. These applications sit outside the quality system scope for product-related processes and require minimal regulatory documentation. Use this stage to build internal competence with AI tools and demonstrate ROI to leadership. Timeline: 8 to 12 weeks from project start to deployment.

Stage 2: Quality analysis tools. Deploy AI for NCR trend analysis, supplier performance tracking, and process capability monitoring. These tools support the quality system and require documented validation. The validation is manageable because the tools are analytical, the human makes all decisions, and the acceptance criteria can be defined by comparing AI analysis against manual analysis of the same data. Timeline: 12 to 16 weeks including validation.

Stage 3: Production-adjacent applications. If the first two stages demonstrate value and the validation framework is established, consider AI for inspection data analysis, process parameter optimization, or predictive maintenance on production equipment. These carry the highest validation burden and should only be pursued after the organization has experience with AI validation from Stage 2. Timeline: 16 to 24 weeks including full validation protocol.

What Auditors Are Looking For

FDA inspectors conducting surveillance inspections and ISO 13485 registrars performing annual audits are increasingly aware that manufacturers are adopting AI tools. Their approach follows the same principles as any software validation review.

They want to see that the manufacturer identified the AI tool's risk to product quality and patient safety, and that the validation rigor matches the risk. They want to see predefined acceptance criteria that are specific and measurable. They want to see test results that demonstrate the system meets those criteria. They want to see that changes to the AI system (including model updates and retraining) go through change control. And they want to see that the human decision authority is clearly documented in the process procedures.

The manufacturers who handle these audits well are the ones who treated the AI tool as a controlled element of their quality system from the beginning. The ones who struggle are the ones who deployed a tool, found it useful, and are now trying to retroactively create the validation documentation that should have been developed before deployment.

Building the validation framework into the project from day one adds 15 to 20% to the project timeline and 10 to 15% to the cost. Retrofitting validation after deployment typically adds 40 to 60% to both, because the testing must be designed around a system that is already in use, and any findings during validation may require changes that disrupt operations.

For medical device manufacturers, AI validation follows the same logic as any process validation: do it right the first time, document it thoroughly, and maintain the validation state through ongoing monitoring and change control. The tools are new. The principles are the same ones that have governed medical device manufacturing for decades.