Meta: See how QAtrial uses AI for gap analysis by comparing project data to regulatory standards and highlighting covered, partial, and missing areas for review.
Why Gap Analysis Is Painful Manually
Regulatory gap analysis is the process of comparing what your project has against what the applicable standards require. For a medical device project, that might mean cross-referencing your requirements against ISO 13485’s 27 clauses, ISO 14971’s risk management requirements, IEC 62304’s software lifecycle clauses, and EU MDR Annex I essential requirements. For a pharmaceutical project, it might mean checking against 21 CFR 211, ICH Q7, ICH Q10, and EU GMP Annex 11.
Gap
Analysis
Static Analysis
Deep Analysis
Done manually, this means opening the standard in one window, your requirements list in another, and reading through each clause to determine whether your project addresses it. For a single standard with 30 clauses, this might take a day. For a project subject to five or six standards, it can take a week or more. And the result is a spreadsheet that becomes outdated the moment you add or modify a requirement.
The manual approach also suffers from subjectivity. Different reviewers may disagree on whether a requirement “covers” a clause. Without a systematic method, coverage assessments are inconsistent and hard to defend during audits.
QAtrial’s gap analysis automates the comparison, provides structured results, and offers two modes — one that works without AI and one that uses AI for deeper analysis.
Medical Device Quality Assurance and Regulatory Compliance
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What QAtrial’s AI Gap Analysis Does
QAtrial’s gap analysis compares your project’s requirements and tests against the regulatory standards applicable to your project. It determines, for each clause of each standard, whether your project has adequate coverage.
The analysis produces a per-clause assessment: covered, partial, or missing. It groups results by standard, calculates overall readiness percentages, and identifies the specific gaps that need attention. For AI-powered analysis, it also generates recommendations for addressing each gap.
The goal is not to replace regulatory expertise. It is to provide a systematic, repeatable assessment that surfaces blind spots faster than manual review.
ISO 13485 gap analysis tool
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Two Modes: Static Keyword Match and AI-Powered Analysis
QAtrial offers two gap analysis modes, each with different capabilities:
Keyword-Based Static Analysis
Always available. Does not require an AI provider. This mode matches your requirement titles and descriptions against curated keyword lists for each clause of a standard.
For example, ISO 13485 clause 8.5 (Improvement) has keywords including “capa,” “corrective action,” “preventive action,” “root cause,” “effectiveness check,” and “continual improvement.” If two or more of your requirements contain these keywords in their title or description, the clause is marked “covered.” If one requirement matches, it is “partial.” If none match, it is a “gap.”
The static mode is fast and deterministic — the same inputs always produce the same outputs. It works well for initial assessments and for teams that do not have an AI provider configured. Its limitation is that keyword matching is literal: a requirement about “error handling and correction procedures” might not match the keyword “corrective action” even though it is conceptually related.
AI-Powered Deep Analysis
Requires a configured LLM provider. This mode sends your requirements and tests to the AI along with the full descriptions of each standard clause. The AI performs semantic analysis — it understands the intent of the clause, not just the keywords, and evaluates whether your requirements address that intent.
AI analysis returns:
- Coverage status (covered, partial, missing)
- Evidence: which specific requirements the AI considers relevant to each clause
- Recommendations: what is missing and what the team should add to achieve full coverage
AI analysis is more nuanced than keyword matching. It can recognize that a requirement about “documented procedures for handling deviations from established protocols” addresses ISO 13485 clause 8.3 (Control of Nonconforming Product) even if neither “nonconforming” nor “NCR” appears in the requirement text.
Both modes can be toggled in the assessment view using buttons in the header. Teams often start with static analysis for a quick baseline, then switch to AI analysis for a deeper evaluation.
Standards for the Control of Algorithmic Bias
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Inputs Shape the Result
The quality of a gap analysis depends on what data is available. QAtrial uses several inputs:
Country. The project’s country determines which regulatory frameworks are applicable. A US project triggers FDA-related standards. A German project triggers EU and German-specific standards. A Japanese project triggers PMDA standards.
Vertical. The industry vertical determines which domain-specific standards apply. Medical devices trigger ISO 13485, ISO 14971, and IEC 62304. Pharmaceuticals trigger ICH Q7, Q9, and Q10. Aerospace triggers AS9100D and DO-178C.
Applicable standards. These are automatically detected from the regulatoryRef fields on your requirements. If your requirements reference “21 CFR 11.10,” “ISO 13485 §7.3,” and “IEC 62304 §5,” the gap analysis knows which standards to assess against. If no standards are detected, defaults are used based on the country and vertical.
Existing requirements. The full set of requirements in your project, including titles, descriptions, tags, risk levels, and regulatory references.
Existing tests with linkages. Tests linked to requirements provide evidence that coverage is not just documented but verified. A requirement that addresses a clause and has linked passing tests is stronger evidence of coverage than a requirement alone.
Pharmaceutical Computer Systems Validation (Drugs and the Pharmaceutical Sciences)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The Gap Analysis Heatmap
Results are displayed as a heatmap grouped by standard. Each standard shows:
- Standard name and total clause count
- Coverage bar: A horizontal bar divided into green (covered), amber (partial), and red (missing) segments
- Overall readiness percentage: Calculated as (covered x 1.0 + partial x 0.5 + missing x 0.0) / total clauses
Below the summary, each clause is listed with its status indicator, clause number and title, and (in AI mode) the evidence and recommendation text.
The heatmap provides an at-a-glance view of where your project stands. A standard showing 90% green with one amber clause needs minor attention. A standard showing 40% red needs significant work.
Understanding Covered, Partial, and Missing
The three coverage states have specific definitions:
Covered
A clause is “covered” when a requirement exists that addresses the clause AND that requirement has linked passing tests.
In static mode: two or more requirements match the clause’s keywords.
In AI mode: the AI determines that one or more requirements substantively address the clause intent, and those requirements have linked tests with passing status.
Covered means “we have documented evidence that this clause is addressed and verified.”
Partial
A clause is “partial” when a requirement exists that addresses the clause but the evidence is insufficient.
In static mode: exactly one requirement matches the clause’s keywords.
In AI mode: the AI finds requirements that partially address the clause, or the relevant requirements lack linked tests, or the linked tests have not passed.
Partial means “we have started addressing this clause but the coverage is not complete.”
Missing
A clause is “missing” when no requirement in the project addresses it.
In static mode: no requirements match the clause’s keywords.
In AI mode: the AI cannot identify any requirement that addresses the clause’s intent.
Missing means “we have a regulatory blind spot that needs attention.”
The “Generate Requirement” Button
For each clause marked as “partial” or “missing,” QAtrial provides a “Generate Requirement” button. Clicking this button creates a new requirement pre-populated with:
- Title: A requirement title that references the standard clause (e.g., “ISO 13485 §8.5 — Corrective and Preventive Action Procedures”)
- Description: A detailed requirement description based on the clause’s content
- Tags: Relevant tags for linking (e.g., “capa,” “corrective-action,” “iso-13485”)
- Risk level: An appropriate risk level based on the clause’s criticality
- Regulatory reference: The specific clause citation
The generated requirement is added to your project in “Draft” status. You should review and refine it before advancing it to “Active.” The auto-generated content is a starting point — it captures the regulatory intent, but your specific implementation context may require adjustments.
“Generate Requirements for All Gaps” Bulk Action
For projects with many gaps, creating requirements one by one is tedious. The “Generate Requirements for All Gaps” button creates requirements for every clause marked “partial” or “missing” in a single action.
Each generated requirement includes the same metadata as individual generation: title with clause reference, description, tags, risk level, and regulatory reference. All requirements are created in “Draft” status.
Bulk generation is useful when starting a new project or when a gap analysis reveals systematic coverage weaknesses. After bulk generation, the team should review each generated requirement, refine descriptions to match the project context, and establish test linkages.
A word of caution: generating requirements for all gaps does not mean the gaps are addressed. It means the gaps are now documented as requirements that need implementation, testing, and approval. Generating the requirement is step one; building the evidence chain is the actual work.
ISO 13485 Assessment Tab: The Dedicated View
Separate from the general gap analysis, QAtrial provides a dedicated ISO 13485:2016 assessment tab on the Evaluation dashboard. This view covers all 27 clauses of ISO 13485, organized into five sections:
- Quality Management System (clauses 4.1, 4.2.1-4.2.5): QMS general requirements, documentation, quality manual, medical device file, document control, record control
- Management Responsibility (clauses 5.1-5.6): Management commitment, customer focus, quality policy, planning, responsibility and authority, management review
- Resource Management (clauses 6.1-6.4): Provision of resources, human resources, infrastructure, work environment and contamination control
- Product Realization (clauses 7.1-7.6): Planning, customer-related processes, design and development, purchasing, production and service provision, monitoring and measuring equipment
- Measurement and Improvement (clauses 8.1-8.5): General measurement, monitoring (including complaints and audits), nonconforming product control, data analysis, improvement (CAPA)
Each clause has a criticality rating (critical, high, medium, low) that helps teams prioritize. Clauses rated “critical” — such as 4.1 (QMS General), 4.2.3 (Medical Device File), 7.3 (Design and Development), 7.5 (Production), 8.2 (Monitoring), 8.3 (Nonconforming Product), and 8.5 (CAPA) — demand immediate attention when they show as gaps.
The ISO 13485 assessment supports both keyword-based static analysis and AI-powered analysis, using the same toggle mechanism as the general gap analysis.
Common Misuse to Avoid
Gap analysis is a tool for identifying regulatory blind spots. It is not a compliance certificate.
Treating AI output as a final compliance judgment. The AI assesses textual coverage — whether your requirements appear to address the regulatory intent. It does not verify that your organization actually implements those requirements. Having a requirement about “training records” does not mean your training records are adequate. The AI cannot assess implementation quality.
Generating requirements for all gaps and calling it done. Generating requirements addresses the documentation gap, not the compliance gap. Each generated requirement needs implementation: linked tests, risk assessment, evidence, and approval signatures.
Running gap analysis once and filing it. Gap analysis results reflect your project at a point in time. As requirements are added, modified, or deleted, the gap profile changes. Run gap analysis periodically — after major project milestones, after requirement changes, and before audits.
Final Takeaway
Gap analysis converts a vague concern (“are we covering all the regulations?”) into a structured, actionable assessment. QAtrial provides two modes: keyword-based static analysis for quick baselines and AI-powered analysis for deeper semantic evaluation. Results show covered, partial, and missing clauses with per-standard readiness percentages. The “Generate Requirement” button converts gaps into actionable work items. And the dedicated ISO 13485 assessment tab gives medical device teams a focused view of their quality system readiness.
Use gap analysis as a regular readiness check, not a one-time exercise. And remember: the analysis identifies documentation gaps — closing the actual compliance gaps requires implementation, testing, and evidence.
Related Topics
- How AI Works in QAtrial — How AI providers are configured and how provenance tracking works
- Reports — How gap analysis results appear in Gap Analysis Reports and Submission Packages
- Audit Readiness — How gap analysis contributes to the Compliance Readiness Score and audit preparation
Try gap analysis on a pilot project. Clone the repository from github.com/MeyerThorsten/QAtrial, run npm install && npm run dev, and create a project with a country and vertical. Navigate to the Evaluation tab, open the Compliance sub-tab, and click “Run Gap Analysis” to see how your project’s requirements map against applicable standards.
