I started experimenting with AI in our eQMS triage last year because the CAPA backlog was simply not sustainable. The model could classify deviations, draft a root-cause template and even suggest corrective actions in seconds. To be fair, that saved our engineers time on the repetitive parts of documentation. Granted, it also forced me to write a much stricter SOP about when AI can help and when it must not be trusted.
Below is a pragmatic view from someone who lives in Annex II / ISO 13485 territory and spends a lot of time with notified bodies: what AI does well for CAPA, where it becomes hazardous, and the controls that make AI-driven CAPA assistance audit-ready.
Why teams reach for AI on CAPA
- CAPA volumes grow faster than headcount. Automated CAPAs reduce clerical burden.
- Standard language and templates are repetitive work — AI handles language, formatting, and initial task breakdown quickly.
- Triage and prioritisation: models can flag high-severity trends across non-conforming event text.
- To be fair, AI helps non-regulatory authors produce something a reviewer can work with.
This is where automated CAPAs or AI-driven CAPA assistance delivers genuine ROI: time saved on drafting, consistent structure, and better initial classification for routing through a connected workflow.
What AI reliably does (and why that’s useful)
- Define terms and explain CAPA process steps (good for training or SOP refresh).
- Summarise historical events and extract keywords from free text.
- Produce a structured draft: problem statement, containment, proposed corrective actions, proposed verification metrics.
- Find potentially related documents in the QMS when integrated with traceability (IF the integration is robust).
These functions are predictable and easy to validate: you can prepare test cases, check outputs against subject-matter experts, and record the results.
Where AI becomes dangerous: "Is this CAPA adequate?"
Adequacy of a CAPA is a regulatory judgement, not a language task. Adequacy depends on:
- The appropriateness of root-cause analysis (scientific reasoning, not pattern-matching).
- Whether corrective actions address the systemic cause — not just symptoms.
- The sufficiency of verification and monitoring (metrics, frequency, sample size).
- Risk acceptance decisions and whether they align with the device risk management file (ISO 14971).
AI can suggest plausible-sounding causes and actions. In practice this means a draft CAPA can look complete while missing the single causal link the auditor will focus on. I have seen drafts that proposed corrective actions targeting a supplier when the root cause was design validation. That’s the exact kind of error a notified body will flag.
Controls that make AI-assisted CAPA acceptable in an audit
Treat the AI as a tool, not an autonomous decision-maker. Build these controls into your process:
- Documented scope: an SOP stating permitted AI tasks (e.g., drafting, triage, document retrieval) and prohibited tasks (final root-cause approval, risk acceptance).
- Validation evidence: test cases reflecting real incident types and edge cases; performance criteria and pass/fail logs. Link this to your software validation records per ISO 13485 and relevant MDR obligations (manufacturers remain responsible for outputs).
- Human-in-the-loop sign-off: every AI-generated CAPA must have a named SME reviewer who documents why they accept, modify, or reject AI suggestions. Reviewability is non-negotiable.
- Audit trail and versioning: store prompts, model identifier/version, timestamps, and outputs in the QMS. This supports traceability and investigations later.
- Explainability notes: if the model outputs a root cause, require the reviewer to add explicit rationale referencing evidence (tests, complaint records, production data).
- Monitoring for drift: periodic revalidation and retrospective comparison of AI suggestions versus expert decisions; record CAPA effectiveness metrics and adjust the model/process if trends show divergence.
- Integration with connected workflow: ensure CAPA links to risk assessment, change control, supplier quality records and the technical file. Traceability is the thing auditors will ask for first.
Mapping controls to standards and audits
- ISO 13485:2016 clause on corrective action requires investigation and review of effectiveness — the regulator expects a documented, evidence-based process. AI can assist with documentation, but the investigative judgement must be evident in records.
- MDR: manufacturer obligations remain. Using AI does not shift responsibility — the manufacturer must ensure safety and performance. Keep evidence that AI outputs were assessed and accepted by authorised personnel.
- For software-related devices (SaMD), consider IEC 62304 lifecycle practices when the AI influences decisions affecting safety.
In audits I've run, notified bodies ask for:
- The SOP governing AI use.
- Validation records and test cases.
- Examples where AI output was rejected and why.
- The audit trail tying CAPA decisions to objective evidence.
If you cannot produce those, auditors will view AI contributions as undocumented inputs — and that's where findings arise.
Practical checklist to implement tomorrow
- Add one line to your CAPA SOP: "AI may draft but may not determine adequacy."
- Start logging prompts and outputs as attachments to CAPA records.
- Require a specific evidence field on CAPA forms: "Rationale tying corrective action to root cause (evidence attachments)."
- Run five retrospective cases through the AI and document discrepancies and fixes — that's your first validation batch.
- Integrate AI outputs into your connected workflow so traceability to related non-conformances, changes, and risk files is automatic.
Automated CAPAs and AI-assisted drafting are useful. CAPA-driven risk assessment and decisions about adequacy are where you must maintain human oversight, traceability and reviewability.
How have you documented and validated AI involvement in CAPA in your QMS — and what did your auditor ask for when they saw AI in the record?
