--- title: The AI Advantage in Regulatory Affairs: How Startups Can Compete description: How lean MedTech startups use AI in regulatory affairs to match big MedTech throughput under MDR Article 10 without shortcutting compliance. authors: Tibor Zechmeister, Felix Lenhard category: AI, ML & Algorithmic Devices primary_keyword: AI regulatory affairs startups MDR canonical_url: https://zechmeister-solutions.com/en/blog/ai-advantage-regulatory-affairs-startups source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # The AI Advantage in Regulatory Affairs: How Startups Can Compete *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **AI does not shrink MDR Article 10 obligations — the manufacturer's duties remain exactly what the regulation says they are. What AI changes is throughput: a two-person regulatory affairs team can now draft, compare, retrieve, and gap-analyse at a pace that used to need six people. The wins are in productivity. The decisions — classification calls, intended-purpose wording, Notified Body communication — stay fully human, and the tools themselves must be validated under EN ISO 13485:2016+A11:2021 clause 4.1.6.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - MDR Article 10 defines the manufacturer's general obligations — QMS, technical documentation, PMS, risk management, conformity assessment — and those obligations are the constant that no tooling can change. - AI tools meaningfully accelerate drafting, retrieval, comparison, and first-pass gap analysis across the regulatory stack. - Classification calls, intended-purpose wording, significant change assessments, and Notified Body correspondence stay with named humans because they carry legal and technical accountability. - Any AI tool used in a regulated process is QMS software and must be validated for its intended use under EN ISO 13485:2016+A11:2021 clause 4.1.6. - Trusting AI outputs blindly creates silent compliance risk: hallucinated article numbers, outdated guidance references, fabricated standards. A human-in-the-loop workflow is the only safe pattern. ## Why this matters (Hook) Big MedTech regulatory affairs teams have thirty to three hundred people. A typical EU startup has two — often one full-time plus a founder wearing the hat. The work on paper is the same: a technical file that meets Annex II, a QMS that satisfies Article 10(9), clinical evidence that satisfies Article 61, PMS and vigilance systems under Articles 83 to 92. The regulation does not care that your team is smaller. For most of the past decade, the only way startups survived this asymmetry was working harder and narrowing scope ruthlessly. AI tooling is the first structural change in that equation. A lean team with the right tools, the right workflows, and honest boundaries can now operate at throughput levels that would have needed a mid-sized RA department three years ago. Not by cutting corners. By compressing the mechanical work. This post is the honest map of what AI actually accelerates, what it does not, and where the traps are. If you deploy AI in your RA function without understanding the second category, you build the appearance of productivity on top of silent compliance risk. ## What MDR actually says (Surface) MDR Article 10 lays out the general obligations of manufacturers. Paragraph by paragraph it requires: a quality management system, risk management, clinical evaluation, technical documentation, conformity assessment, declaration of conformity and CE marking, registration of devices and Economic Operators, post-market surveillance, corrective action, cooperation with competent authorities, financial coverage for liability, and the appointment of a Person Responsible for Regulatory Compliance under Article 15. These obligations are written in terms of outcomes, not methods. The MDR does not tell you to use a specific word processor, a specific search tool, or a specific type of software to draft your technical file. It tells you the file must exist, be complete per Annex II, be current, and be demonstrably under control. That freedom is where AI tooling legitimately lives. But two constraints bind any tool you deploy. First, EN ISO 13485:2016+A11:2021 clause 4.1.6 requires that software used in the quality management system be validated for its intended use, with the approach documented and proportionate to the risk. An AI drafting tool, an AI retrieval tool, an AI gap-analysis tool — all QMS software. All subject to validation. Second, the accountability does not transfer. Article 10 obligations sit with the manufacturer. The PRRC under Article 15 is a named human. A Notified Body auditor looks across the table at a person, not a tool. ## A worked example (Test) A two-person regulatory team at a Class IIa wearable startup is preparing for their first Notified Body stage 1 audit. They have roughly ten weeks. The required deliverables: complete technical documentation per MDR Annex II and III, QMS procedures aligned with EN ISO 13485:2016+A11:2021, a Clinical Evaluation Report, a PMS plan, a risk management file, and internal audit records. Without AI tooling, this is a ninety-hour-week death march and probably a postponement. With AI tooling, used correctly, it becomes feasible. Specifically: the team uses an AI retrieval tool to pull relevant MDR articles, MDCG guidance, and internal precedent documents into context as they draft each section. They use an AI drafting assistant to produce first drafts of procedural documents — document control, CAPA, management review — which they then edit heavily against their actual processes. They use a gap-analysis tool to compare their draft technical file against an Annex II checklist. They use an AI summarisation tool to compress long supplier documentation packages into reviewable briefs. What they do not use AI for: deciding the device classification, writing the intended purpose statement, making the equivalence claim in the CER, drafting responses to any Notified Body question, signing anything. Those decisions are captured in a decision log with named human authors. The realistic speedup is three to four times on the drafting and retrieval phases. The review and decision phases do not speed up — and should not. Net result: ten weeks becomes achievable instead of impossible. The team submits with a complete file and a clean decision log. That is the AI advantage for startups. Not replacement. Compression of the mechanical layer so that the small team can focus its judgement where judgement is required. ## The Subtract to Ship playbook (Ship) The Subtract to Ship principle for AI in RA is: subtract the typing, keep the thinking. Concrete steps. **Step one — Map Article 10 obligations to workflows, not tools.** Start from the MDR requirement. What does Article 10 actually oblige you to produce? Then ask, for each output, which phases are mechanical (retrieval, drafting, comparison, deduplication, format checking) and which phases are judgement (classification, intended purpose, benefit-risk weighing, significant change assessment, Notified Body communication). Only the mechanical phases are AI candidates. **Step two — Validate each tool before it touches regulated content.** Under EN ISO 13485:2016+A11:2021 clause 4.1.6, every AI tool in your regulated workflow needs a documented validation for its intended use. Scope proportionate to risk. For a retrieval tool, the risk is missing relevant content. For a drafting tool, the risk is hallucinated claims. For a gap-analysis tool, the risk is false negatives against a checklist. Test each against its own risk profile. Keep the test records. **Step three — Build a named-human decision log.** For every regulatory decision — classification, intended purpose, equivalence, significant change, any Notified Body submission — there is a log entry with the decision, the reasoning, the MDR article or guidance cited, and the named human who made the call. AI tooling may have informed the reasoning. It does not author the decision. **Step four — Version-lock models and log prompts.** When you change AI tool versions, or the vendor rolls out a new underlying model, your outputs may change. Treat version changes as a configuration change in your QMS: notify, assess impact, revalidate if necessary. Log prompts and responses for any output that influences regulated content. **Step five — Pre-commit to what AI never does.** Write it down in your SOP. The following are always done by named humans: device classification, intended purpose wording, significant change assessments, responses to Notified Body questions, vigilance reportability decisions, benefit-risk conclusions, signatures. This list is your firewall against scope creep. **Step six — Build one prompt library under version control.** Prompts are how you get consistent output from AI tools. Treat them as controlled documents. A shared, versioned prompt library means a two-person team produces consistent drafts across sessions and across team members. Uncontrolled prompting means inconsistent output and an auditor discovering contradictory drafts. **Step seven — Spot-check for hallucinations on every output.** AI tools hallucinate article numbers, invent MDCG document titles, cite standards that do not exist, and paraphrase regulatory text inaccurately. Every AI-influenced draft gets a human pass against the actual source documents before it becomes part of your technical file. Catch the hallucinations before the Notified Body does. **Step eight — Hire the PRRC as a human first.** Article 15 requires a PRRC with the competence described in the regulation. AI does not substitute for this role. Your PRRC is a named person with a CV, legally accountable, and ideally someone who deeply understands where the AI tools in your workflow help and where they would introduce risk. ## Reality Check - Can you list, for each regulatory deliverable, which phases are AI-assisted and which are fully human? - Do you have a validation file under EN ISO 13485:2016+A11:2021 clause 4.1.6 for every AI tool that touches your regulated content? - Is there a written decision log for every classification, intended purpose, and Notified Body submission with a named human author? - Do you spot-check AI outputs for hallucinated article numbers and invented guidance references? - When an AI vendor updates its model, does something in your QMS trigger impact assessment? - Is your prompt library version-controlled? - Can your PRRC describe, in plain language, exactly how AI tools are used in your workflow and where the firewall sits? - Would a Notified Body auditor be satisfied by your answer to "which parts of this document were drafted with AI assistance"? ## Frequently Asked Questions **Does a Notified Body audit whether we used AI tools?** Auditors increasingly ask about the tools used in regulated processes. They are looking for tool validation under EN ISO 13485 clause 4.1.6 and for evidence that human judgement is in the loop for decisions. Transparency is the right posture — hiding the tooling is worse than disclosing it. **Can AI replace our regulatory affairs hire?** No. Article 10 obligations and the Article 15 PRRC role require a named, qualified human. AI amplifies a small team. It does not replace one. **What is the biggest risk of using AI in regulatory affairs?** Trusting outputs without verification. AI confidently generates wrong article numbers, invented guidance document titles, and inaccurate paraphrases of MDR text. A human pass against the actual source is mandatory before anything enters the technical file. **Do we need a separate validation file for every AI tool?** Yes, each tool needs its own validation record proportionate to its use and risk. The format can be lean — scope, intended use, test cases, test results, version, date, signer — but it must exist and be retrievable. **Is AI-assisted drafting allowed for QMS procedures?** Yes, as long as the draft is reviewed, edited to reflect your actual processes, approved by a competent person, and released under document control. The final SOP is a human-authored controlled document regardless of how the first draft came into being. **What about AI tools that are themselves SaMD?** That is a different question — those are medical devices and fall under the full MDR classification and conformity path. This post is about internal RA productivity tools, not devices. ## Related reading - [AI to automate regulatory documentation](/blog/ai-automate-regulatory-documentation) — tactical patterns for drafting and retrieval workflows. - [Flinn AI tools transforming regulatory](/blog/flinn-ai-tools-transforming-regulatory) — a concrete look at an RA-focused AI tool stack. - [Hiring regulatory affairs at a startup](/blog/hiring-regulatory-affairs-startup) — the humans you still need. - [Validating QMS software tools under MDR](/blog/validating-qms-software-tools-mdr) — the EN ISO 13485 clause 4.1.6 validation approach. - [The Subtract to Ship framework for MDR](/blog/subtract-to-ship-framework-mdr) — the underlying methodology this playbook applies. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 10, Article 15. 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes, clause 4.1.6. --- *This post is part of the [AI, ML & Algorithmic Devices](https://zechmeister-solutions.com/en/blog/category/ai-ml-devices) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*