Contact our Team

AI in Medical Device Development: How We Use It Without Breaking ISO 13485 Quality Management System

Written By Caroline

See Collaborators

Published on June 29, 2026

Last Edit on June 29, 2026

Using AI in a regulated quality management system: yes or no?
It’s a question that sparks debate, and one we didn’t want to leave unanswered, especially since it directly affects how we work.

At CLEIO, we develop medical products under an ISO 13485-certified quality management system (QMS), and for more than a year, AI has been part of the daily work of our software, engineering, and design teams.

A theoretical answer wasn’t enough. So we established clear guardrails, ran tests, adjusted our approach, and closely examined the results, project after project.

Today, we know exactly where AI helps us work more efficiently, where it requires careful oversight to protect our QMS and our products, and where potential issues can surface long before an audit.

Here’s what we’ve learned.

Where AI Stands in Medical Device Regulation

Before getting into how we use AI, let’s take a closer look at the current regulatory landscape. Medical device regulation is moving fast in 2026, with new alignments, new guidances, and a tightening boundary around AI use.

To understand what this means for development, we need to examine both the current shifts and ISO 13485, the international standard for quality management systems in the medical device industry.

The 2026 Regulatory Landscape

AI is shaking up the MedTech industry, and the regulatory landscape has to keep up. Here are three major shifts to watch in 2026:

  • The FDA’s QMSR is now aligned with ISO 13485, creating greater consistency between the U.S. and Canadian regulatory frameworks.
  • IEC 62304, the standard governing the life cycle of medical device software, is expected to be revised later this year. This major update will specifically address AI-enabled medical software.
What do these three have in common? They cover the quality processes and the AI functions integrated into the medical device. However, none of them spells out how to use AI as a tool to develop that device.

A word of caution though. In April 2026, the FDA issued its first warning letter related to AI use, targeting a submission generated by AI without any human review. A clear sign that the regulatory gray area surrounding AI-assisted development may be starting to narrow.

What Does ISO 13485 Actually Require?

Here’s the thing about ISO 13485: it doesn’t tell you how to work. It defines what requirements your design process must meet. The process has to be consistent, manage risk, and stay traceable from the very first user need through verification and validation.

Then, there’s ISO 14971, which handles risk management for medical devices. The rule is simple: every identified risk must be assessed, mitigated, and documented across the entire product lifecycle.

The deliverable that ties all this together is the Design and Development File (DDF). It serves as proof the design and development of your product followed the established plan and the applicable regulatory requirements.

What About AI as a Medical Device Development Tool?

On one side, we have a medical device that must integrate AI under strict regulation. On the other, an engineer using AI to help develop that same device.
Does that engineer have rules to follow too? Absolutely.

When AI is introduced into an ISO 13485 environment, the required deliverables don’t change. What changes is the tool used to produce them. And on that point, the standard is clear: any software application used in the QMS must be controlled and validated in proportion to the risks associated with its use.

“AI tools, in development, are still development tools. ISO 13485 doesn’t regulate how you use SolidWorks or how you do CAD.
What it covers is our processes, and our processes rely on the tools we use to apply them.”

Gabriel Gagnon
Director of Software Development at CLEIO

How CLEIO Uses AI in Medical Device Development

Frame, test, validate, deploy: that’s the process we follow to bring any new tool into our workflows, and AI was no exception. More than a year after our first internal rollouts, we have a clear picture of where AI adds value, where its limitations lie, and which safeguards are required to keep our processes and products compliant.

6 Areas Where AI Really Accelerates Medical Device Development

Here are six areas where AI buys us time back, without ever stepping outside our ISO 13485-certified quality management system.

01

Software Development

AI works alongside our developers on architecture exploration, code generation, code review, and unit testing. We’re seeing it speed up certain tasks by up to 80%. But make no mistake: AI doesn’t replace human expertise. At every step, a qualified team member performs the core task, decides which changes are implemented into the code, and is accountable for the final deliverable.
The “rubber duck” effect works particularly well with AI. Traditionally, developers solve problems just by explaining them out loud to a rubber duck, often uncovering the solution in the process. With AI, the duck talks back. It asks questions, challenges assumptions, and brings its own ideas to the table.

02

Design and Engineering

In mechanical and electronic engineering, AI showed up later, but it’s catching on fast. We use it as a second brain for debugging, exploring design alternatives, and helping with documentation.

Integration with computer-aided design (CAD) and simulation tools is still finding its feet. But for idea generation and documentation support, the value is already undeniable.

03

Documentation

Here’s where most companies underestimate what AI can do. The documentation load on a medical device project is enormous: user needs, software requirements specifications (SRS), design specifications, risk analyses, verification protocols, and traceability matrices. All of it has to be produced and kept up to date throughout the product lifecycle.

AI speeds up every part of it: drafting, restructuring, consistency checks across documents, and change management.

04

Traceability

When a user need changes mid-project, the impact ripples through the SRS, the design specs, and the test protocols. That’s exactly where errors slip in.

With an AI agent that knows our documentation process, the change propagates across every affected document in minutes. Then our team reviews it.

“When a user need changes mid-project, after a formative evaluation for example, we can update the entire traceability chain through our workflow.
We work the change with the agent: it knows which SRS follow from it, which stories are impacted, and it applies the updates across the documentation chain.
But it doesn’t do it on its own. A human reviews everything after.”

Gabriel Gagnon
Director of Software Development at CLEIO

05

Regulatory Research

AI dramatically cuts research time during the immersion phase. For example, we use it to speed up searches across FDA databases for product classification and predicate device identification. We also use it to search adverse events databases and synthesize what we find, which then feeds our risk analysis.

To keep our data reliable, we only use tools connected to official sources. The result: several hours saved per project.

06

Project Management and Internal Operations

On every project, our teams end up spending hours on the kind of work that doesn’t need their expertise: meeting minutes, status updates, sprint planning, ticket management, version control maintenance.

AI takes that off their plate. The outcome: time freed up for the work that actually demands real thinking.

How CLEIO Integrates AI into Its QMS

Seven rules shape how AI lives inside our ISO 13485-certified quality management system. They’re clearly defined, and every team applies them the same way.

The Human Stays in Charge of the Process

The qualified person owns the design deliverable. AI is a tool, not a process owner.

Every deliverable included in the design and development file gets reviewed, revised if needed, and signed off by a qualified team member. AI accelerates the work, but the human stays accountable for the result.

No Auto-Acceptance of AI-Generated Changes

We’ve disabled auto-accept on every AI tool we deploy for development. In other words: AI proposes, the human decides. That one setting is what separates AI-assisted development from AI running unsupervised.

No scenario in our workflow lets an AI execute an action without explicit human approval.

Only Approved Tools Access Project Data

Every AI tool that could access confidential project data goes through a security review before we deploy it. To run that review, we apply principles aligned with the SOC 2 framework, which sets the bar for how companies store and handle client data securely.

In practice, we look at what the tool uses for model training and where it stores and processes the data. If a tool fails the review, it’s not approved. And our internal policies block any unapproved tool from accessing client projects. No exceptions.

Tools are Tools, Processes are Processes

ISO 13485 doesn’t tell you how to use tools like SolidWorks or Jira. It only specifies the controls you apply throughout the design and development process. Same logic for AI.

The standard governs our processes, and our processes follow the standard, whether the engineer used an AI assistant or a whiteboard. At the end of the day, what an auditor wants to verify is that the required process was followed, that traceability was preserved, and that the tools were adequately controlled.

Custom Workflows Guarantee Traceability

The default way of using AI (“I open a chat, ask a question, and close the chat”) leaves zero traceability and has no place in regulated development. That’s why our software team built agentic workflows that generate structured artifacts at every step, based on the target deliverable: user needs, SRS entries, stories, or design specifications.

The workflow itself is what guarantees traceability. It keeps every conversation, and every version of every artifact.

Our Internal SOPs Evolve with AI Tools

This year, we’re updating our internal standard operating procedure (SOP) for software development to formally integrate AI-assisted workflows.

The goal isn’t to force AI on everyone. It’s to establish a consistent framework so every team member follows the same best practices, whatever tool they pick.

Teams Trained Based on Their Interest

AI adoption at CLEIO has been gradual. We activated licenses one at a time, starting with the people who showed real interest, each with their own onboarding. The rest of the team followed naturally, drawn in by curiosity and the value they saw.

To keep the momentum going, we put several rituals in place: a weekly workflow-sharing session within the software team, a dedicated AI Slack channel, an AI maturity assessment for each team, a company-wide skills library, and recently, our first “lunch and learn” for the people less involved with AI.

What AI Can't Do at CLEIO

At CLEIO, any use of AI outside the framework we’ve set is off-limits.

In practice, AI can’t:
  • Complete a task without a human in the loop
  • Auto-accept its own changes to code, documents, or designs
  • Access confidential client data through any unapproved tools
  • Replace the qualified human responsible for a regulated deliverable

How to Stay Ahead of AI Regulation in Medical Device Development

No standards or official guidelines govern AI use in medical device development yet. But as the saying goes, an ounce of prevention is worth a pound of cure. By building the right habits today, we’ll be ready when the regulation catches up.

Watch Where AI Regulation Is Heading

One standard already governs how organizations use AI: ISO/IEC 42001:2023, the international standard for AI management systems. It’s to AI what ISO 13485 is to medical devices, and it covers the full AI lifecycle: risk management, transparency, human oversight, and continuous improvement.

For a company like CLEIO that already runs an ISO 13485-certified QMS, ISO 42001 is a natural extension.

IEC 62304, the standard for medical device software lifecycle, is also getting an update soon, targeting devices that make decisions based on AI models.

So AI as a medical device development tool isn’t specifically regulated yet. But the boundary is going to tighten. For teams that have already built strong traceability and keep human oversight in their AI-assisted workflows, there’s nothing alarming here. They’ll know how to adapt quickly when the time comes.

“I expect the medical standards to eventually catch up with AI, with more concrete definitions of what you can and can’t do with these tools.”

Gabriel Gagnon
Director of Software Development at CLEIO

Choose a Development Partner With a Clear AI Framework

If you’re evaluating a development partner, the right questions come down to two things: the framework the organization has built around AI, and how those tools are integrated into its processes.

  • How is AI integrated into the quality management system?
  • What is AI allowed to do, what is it explicitly not allowed to do, and who approves?
  • Is traceability maintained throughout the development process?
  • Are the AI tools validated and approved, and on what basis?
Getting clear answers to these questions is how you choose a partner who won’t put your product’s regulatory compliance at risk.

At CLEIO, our integrated approach is what lets us move forward on AI adoption without compromising our quality management system or our ISO 13485 certification. We integrate AI into our teams’ workflows with the same rigor we apply to everything else.

Our goal stays the same: designing innovations that meet your market’s needs.
What’s different is that some steps are now faster, giving our experts more time to focus on the complex challenges that demand human judgment, technical expertise, and critical thinking.

Frequently Asked Questions about AI, ISO 13485, and Medical Device Compliance

Yes. ISO 13485 governs the process and the documentation, not the choice of specific development tools. AI can be used anywhere it improves efficiency without breaking traceability, as long as a qualified person reviews and approves the deliverable.

Before we allow an AI tool to access any confidential project data, it must undergo a security review to make sure the client’s data stays protected, is never used to train the tool, and is stored in a controlled environment. Until it passes that review, it can’t be used on any client project.
Under IEC 62304 specifically, yes, but only when AI is integrated into the medical device itself and makes decisions that could impact safety. This use case will be addressed in the ongoing IEC 62304 revision and is already covered by the FDA’s guidance on AI-enabled device software functions.

More broadly, under ISO 13485 and in line with the FDA’s General Principles of Software Validation, any software used within the QMS, production processes, or monitoring and measurement activities must be validated with a level of effort proportional to the risk it poses to the safety and effectiveness of the device. We validate its intended use and implement appropriate controls. The same goes for AI tools.

ISO 42001 is the international standard for AI management systems. It defines how organizations govern the AI lifecycle and manages AI-related risks. While it remains voluntary and is rarely required today, it serves as a natural complement for organizations already operating under an ISO13485-certified QMS.
We certainly doubt it will! AI enables engineers who already master their discipline to work faster. Theory remains the foundation, and accountability for the final deliverable stays in the hands of the qualified person.

Our experts always got your back

With extensive cross-industry experience, we’re always ready to tackle medical device development complexities and propel your success.

Get in Touch

Main Author

Caroline Graver

Writer & Content Specialist

Caroline is a content specialist with deep expertise in medtech and product development, translating complex technical concepts into clear, compelling narratives for healthcare and innovation audiences.

Collaborators &
Reviewers

Jean-Yves Pairet

Director of Quality

Jean-Yves leads the Quality Team, overseeing the QMS and maintaining our ISO 13485 certification.

Gabriel Gagnon

Director of Software Development

Gabriel Leads Software, Firmware and AI Implementation at CLEIO

Subscribe to get our insights delivered to your email inbox

Other posts you may like

Explore our Blog

[Webinar] Build Medical Devices That Actually Reach Your Users

May 2026

CLEIO Becomes an Expert Partner of Centech

April 2026

CLEIO Renews Its ISO 13485 Certification for Medical Device Development

March 2026

[Webinar] Build Medical Devices That Actually Reach Your Users

May 2026

CLEIO Becomes an Expert Partner of Centech

April 2026