Your AICA Questions, Answered
The follow-up to our official launch explainer. We run through your questions.
Yesterday, we officially launched AICA — the Audit Intelligence Compliance Assistant — and published a detailed breakdown of the platform to give you a primer. Read it here first if you haven’t yet:
It covers the benchmarking data behind AICA, the full workflow, the EPAM partnership, the security architecture, the implementation process, and the roadmap.
Today, we’re following up with something we know you’ll need next: answers to the questions we’ve been anticipating and actually hearing from quality leaders, IT teams, and compliance professionals who’ve been looking at AICA.
We’ve organized these into seven categories. Scan for what’s relevant to you, or read straight through. We tried to be thorough without being vague. If you have a question that’s not answered here, head to our contact form to let us know.
If you want to keep or circulate these, download the PDF version below.
Let’s start with by far the most common question we’ve gotten so far:
Is AICA available for medical device regulations?
Not quite yet, but it’s in development. Right now, AICA supports only pharma and biologic compliance auditing, with full coverage of 21 CFR Parts 11, 211, and 600, and additional clinical-focused CFR parts and ICH guidance documents in active development.
Expansion into medical device regulatory frameworks, including ISO 13485 and FDA QMSR (21 CFR Part 820), is planned as part of our product roadmap. While these modules are not yet available, our development sequencing is already underway, and we anticipate phased expansion based on the demand we see (which looks to be a lot!) and partnership opportunities.
If medical device compliance is a priority for you, we’re actively seeking device/medtech partner organizations to help shape and validate these new modules. Partnering with teams willing to contribute real-world QMS documentation will help us build more accurate, practical coverage and provide early access to new regulation modules as they’re developed.
Please contact our team to discuss roadmap alignment and early access to medical device opportunities with AICA. If you’re interested in using this tool for medical device compliance, we want to talk to you! Use our contact form to express your interest.
Security and data privacy
Will my confidential QMS documents be secure?
Absolutely. AICA is built on a secure, cloud-based infrastructure with enterprise-grade encryption for all data transmissions. Your confidential documents are stored in isolated, access-controlled environments.
Most importantly, your data is never used to train our AI model. AICA was trained exclusively on curated biopharma QMS documents explicitly provided for that purpose by regulatory experts, not on customer data. You retain complete ownership and control of your documentation at all times. For organizations with stringent security requirements, AICA can be deployed on your own private cloud infrastructure, ensuring your documents never leave your controlled environment.
Can documents be deleted after analysis?
Yes. You have full control over document retention. Documents can be deleted immediately after AICA completes its analysis if you prefer not to store them in the platform. You can also configure automated deletion policies based on your organization’s data retention requirements.
What happens to the analysis reports and observations?
Analysis reports and the observations they contain remain in your secure AICA workspace until you choose to delete them. These reports do not contain your actual QMS documents—only references to them, along with the gap analysis and recommendations. You can export reports at any time and manage them according to your internal document control procedures.
Where is my data physically stored?
Your data is stored on Microsoft Azure servers located in the United States. All application databases and storage services are hosted in the Azure region selected for the deployment, ensuring that your information remains physically within U.S. data centers. Azure does not move data outside the country unless explicitly configured for cross-region replication.
Who has access to my documents?
No one at The FDA Group or EPAM personally reviews your documents unless you explicitly opt in to share them for model improvement. Your audits and uploaded documents are not viewed by humans, unless you turn on the optional “Improve the model” setting. If you keep this setting off, your data is not used for training and is not manually reviewed.
A very small number of authorized FDA Group employees may access data only when needed for (1) addressing platform security issues or (2) resolving technical problems you report. This access is tightly controlled, audited, and restricted under strict privacy and security policies. All access is RBAC-controlled, encrypted, logged, and fully auditable within the secure Azure US-based environment.
Accuracy and reliability
How accurate is AICA? Can I trust AI to identify real compliance gaps?
AICA was designed with accuracy as the primary objective. The platform was trained by FDA subject matter experts using real-world pharma QMS documents and validated against known compliance gaps. The training process specifically focused on minimizing false positives (identifying problems that don’t exist) while maintaining sensitivity to genuine compliance issues.
AICA is designed with “human in the loop” as a fundamental principle. Every observation generated by the AI must be reviewed and approved by a qualified quality professional before the report is finalized. This validation step ensures that AI-generated findings are contextually appropriate for your specific organization and products. You have complete control over which observations are included in the final report.
What if AICA misses something or gets something wrong?
AICA analyzes QMS documentation, including policies, procedures, and work instructions that describe how your quality system should operate. It identifies gaps between what these documents say and what regulations require. However, like any audit tool, it should be part of a comprehensive compliance program that includes:
Review of actual implementation (are you following your procedures?)
Examination of quality records (batch records, test results, etc.)
Personnel interviews and training verification
Physical facility observations
AICA dramatically improves the efficiency and comprehensiveness of the documentation review portion of audits, but it doesn’t replace the need for qualified auditors to verify that your QMS is actually being implemented as documented. Additionally, during the review process, you can add your own observations based on institutional knowledge that the AI might not capture, edit AI-generated observations for clarity or context, or reject observations that don’t apply to your specific situation.
How does AICA handle complex or nuanced regulatory requirements that might require interpretation?
This is exactly why AICA was trained by regulatory experts and auditors rather than just being fed regulatory text. These experts brought their practical understanding of how regulations are interpreted and applied during actual inspections. When regulations contain ambiguous language or require professional judgment, AICA provides observations that reflect realistic regulatory expectations based on this expert training. However, AICA also recognizes its limitations.
For highly complex, situation-specific requirements, the platform may flag areas for human review rather than attempting to provide definitive assessments. The platform is designed to augment expert judgment, not replace it.
What happens when regulations change?
You will be notified when regulations within AICA are updated. Because AICA’s regulations are based on the CFR, changes to them are infrequent and typically accompanied by significant advance notice from the agency. As notifications of upcoming regulatory changes are published, we work to update the system so that once changes take effect, they are live within AICA.
In both cases of new regulations being introduced or existing regulations being changed, customers will receive notification of the updates along with release notes on how the changes impact AICA’s functionality.
How quickly are new regulations added?
We add new regulations according to a set schedule based on our determination of the most relevant regulations for our customers. If you are interested in regulations that are not listed, contact your AICA representative to discuss options to add your regulations of interest to AICA.
How are changes to existing regulations reflected?
We regularly review all applicable regulations for additions and other changes as part of our consulting service, as well as AICA. Changes are first tested internally and once validated, pushed to the then-current version of AICA. These updates happen at least annually, though they may be more frequent.
In both cases of new regulations being introduced or existing regulations being changed, customers will receive notification of the updates along with any additional release notes on how the changes impact AICA’s functionality.
Implementation and usage
What does setting up AICA entail?
AICA is a cloud-based, AI-powered SaaS platform. Once you have obtained a use license, we’ll provide you with a welcome email that contains all the necessary information to log in and access the AICA platform through your web browser. Once you have logged in, AICA is ready to use. No further setup is required. Simply upload the SOPs you want analyzed to begin using the software.
If you’re interested in on-prem installation for your organization’s private cloud, please contact us. (A few enterprise firms have expressed this as a need, and we can accomplish it.)
Recommended devices: Desktop and laptop computers are fully optimized for modern browsers on Windows and macOS. Tablets have limited support in the current release phase. Mobile devices are not supported in the current release phase.
Supported browsers: Google Chrome (latest version), Microsoft Edge (latest version), and Safari (latest version) are fully supported. Firefox and Internet Explorer are not supported.
Do I need technical expertise or IT support to use AICA?
No specialized technical expertise is required! If you can upload documents to a cloud platform (similar to Dropbox or Google Drive), review audit reports and compliance findings, and navigate a web-based interface, then you have all the technical skills needed to use AICA effectively. The platform was designed by regulatory professionals for regulatory professionals, with an intuitive interface that doesn’t require an IT background or coding knowledge.
What file formats does AICA accept?
AICA currently accepts PDF files (including scanned documents via OCR) and Microsoft Word documents (.doc and .docx). These formats cover the vast majority of QMS documentation in the life sciences industry. Support for additional formats may be added based on feedback and demand.
Can AICA integrate with our existing eQMS platform?
Integration capabilities with eQMS platforms like MasterControl, Veeva Vault, TrackWise, and others are in development. The goal is to allow AICA to automatically pull the latest versions of your documents for analysis, ensuring you’re always auditing against current documentation. Right now, document upload is manual, but your feedback on integration priorities will help us determine which eQMS platforms to prioritize for integration development.
How many documents can I upload at once?
AICA is built on a cloud infrastructure designed to scale. You can upload documents individually or in batches. The platform can handle everything from small, focused audits (10-20 documents) to comprehensive enterprise-wide assessments (thousands of documents across your entire QMS). Processing time scales with document volume, but even large audits are completed in minutes rather than days or weeks.
The maximum file size per document is 512 MB.
What if my documents are in languages other than English?
AICA currently only supports English. If you’re interested in AICA supporting your non-English documents, contact your The FDA Group account manager.
Can I run partial audits (just certain procedures) or does it have to be my entire QMS?
Yes, you can run focused audits on specific subsets of documents. Simply upload and select the specific documents and regulatory requirements you want to analyze. For more comprehensive analysis, we recommend running the entire QMS set together. This helps AICA generate more accurate insights, ensures better context coverage, and supports higher-quality compliance evaluation.
Regulatory and compliance
Is AICA itself a validated system? Do I need to validate it before using it?
This is an excellent question that gets at a common concern about using AI tools in regulated environments. AICA is a quality tool used to assess documentation, not a system that directly impacts product quality, manufacturing processes, or patient safety. It functions similarly to how a human auditor functions—it reviews documents and generates observations for human review and decision-making.
That said, we, in partnership with EPAM, have developed AICA following a rigorous software development lifecycle with input from a group of regulatory experts. The platform underwent extensive testing and validation during development to ensure it performs its intended function accurately and reliably.
We recommend treating AICA outputs as preliminary audit findings that require human validation, which is exactly how the platform is designed to be used (human in the loop). The observations AICA generates should be reviewed by qualified quality professionals before being acted upon, just as you would review findings from any audit team member.
Can I use AICA’s reports for regulatory submissions or show them to FDA investigators?
AICA’s reports are designed to support internal audits, management review, and audit preparation, all of which are required by many common regulations. The reports can serve as evidence that you’re conducting systematic QMS assessments as required.
However, we recommend treating AICA as an internal audit tool. The reports document gaps you’ve identified and corrected, demonstrating proactive compliance management. If an FDA inspector asks how you conduct internal audits, you can certainly explain that you use AI-assisted audit tools to achieve more comprehensive coverage than traditional sampling-based approaches.
Some organizations may choose to share AICA reports with regulatory auditors as evidence of their systematic approach to compliance monitoring. Others may prefer to use AICA internally and generate separate audit reports in their standard formats. Either approach is valid, and the choice depends on your comfort level and regulatory strategy.
What specific regulations does AICA currently support?
AICA currently includes full, operationalized coverage of the following CFR Parts:
Title 21 CFR Part 11 – Electronic Records; Electronic Signatures Subparts A-C: Includes controls for closed/open systems, electronic signatures, system validation, audit trails, and identity controls.
Title 21 CFR Part 211 – Current Good Manufacturing Practice for Finished Pharmaceuticals Subparts A-K: Includes personnel qualifications, facilities and equipment, production and process controls, packaging/labeling, laboratory controls, records and reports, returned/salvaged product procedures.
Title 21 CFR Part 600 – Biological Products Subparts A-D: Includes establishment standards, recordkeeping, postmarketing reporting, shipment/temperature controls, inspection standards.
These CFRs are fully implemented and mapped at the section and subsection levels for audit readiness within AICA.
Regulations in development:
The following CFR Parts and FDA guidance documents are currently being added to AICA:
Key CFR additions: 21 CFR Part 50 (Protection of Human Subjects), 21 CFR Part 54 (Financial Disclosure by Clinical Investigators), 21 CFR Part 56 (Institutional Review Boards), 21 CFR Part 58 (Good Laboratory Practice), 21 CFR Part 312 (Investigational New Drug Application), 21 CFR Part 314 (Applications for FDA Approval to Market a New Drug), 21 CFR Part 320 (Bioavailability/Bioequivalence Requirements), and expanded 21 CFR Part 11 for clinical systems.
Key FDA guidance documents in scope: ICH E6(R2) (Good Clinical Practice), ICH E9 (Statistical Principles for Clinical Trials), CPGM 7348.811 (Bioresearch Monitoring Program), FDA Guidance on Risk-Based Monitoring of Clinical Investigations, FDA Guidance on Computerized Systems Used in Clinical Investigations, and FDA Guidance on Investigator Responsibilities.
These will be available for functional testing but will not be fully validated until we engage with external organizations using real QMS documentation. Partnering groups will play a critical role in shaping and validating these modules.
Are new regulations added automatically or do I need to request them?
New regulations are added according to a set schedule based on our determination of the most relevant regulations for customers. When new regulations are added or existing ones updated, customers receive notification along with release notes on how the changes impact AICA’s functionality. If you are interested in regulations not currently listed, contact us to discuss options for adding them.
Can AICA audit against internal company standards or procedures?
No. AICA currently audits your QMS documentation against published regulatory requirements (CFR Parts and FDA guidance documents). It does not support auditing against custom internal company standards or proprietary procedures.
Contact and support
Who do I contact if I have questions or need support?
Support is built directly into the platform. You can report an issue or submit a feedback form from within the application itself, and there’s also a contact support option that routes to the AICA team. Expectations are clear from day one. For enterprise clients with more complex deployments, we can negotiate enhanced SLA commitments.
What if I encounter a bug or technical problem?
Report it immediately through any of the support channels above. Your bug reports and problem descriptions are invaluable feedback that makes AICA better for everyone. We’ll work with you to resolve any technical issues quickly, and we’ll keep you informed about fixes and updates as they’re implemented. We’ll walk you through all of this during onboarding.
Getting started
What information do I need to provide to get started?
Very little, by design! Once you’re onboarded, you simply provide the email address(es) of the end users who will be accessing the platform and we’ll send them a welcome email with everything they need to get in. No lengthy intake forms, no facility counts, no regulatory scope documentation required upfront. The heavier-lift conversations (like IT security requirements, supplier qualification, contract details) happen during the agreement phase before you get to that point, so by the time you’re setting up accounts, the hard work is already done.
What’s the typical onboarding timeline from contract to first audit?
About one to two weeks from the signed agreement to running your first audit. The process moves through a defined sequence — agreement processing, security and compliance review, white glove implementation setup, and a training and workflow orientation — but it’s designed to move efficiently. The goal is to get you to first value fast, not to drag you through a lengthy enterprise software implementation. Your account manager follows up within the first week to make sure you’re up and running and to answer any early questions.
Do you provide implementation support or is it self-service?
Both, in the right proportion. AICA is built to be intuitive enough that you can start uploading documents and generating audit reports without hand-holding. But we don’t just hand you a login and wish you luck. Every new customer receives a white glove implementation setup, a training and workflow orientation session, and a dedicated customer success manager. There’s also technical support and a human escalation path for anything that needs real attention. If your organization has specific regulatory requirements or custom workflow needs, we can accommodate those too.
Still have questions?
Contact Alan Greathouse at agreathouse@thefdagroup.com or visit aica.thefdagroup.com.
If you’re ready to see AICA in action, you can request a demo directly from the website. We’ll follow up within one business day.
What is AICA?
AICA (the Audit Intelligence Compliance Assistant) is an AI-powered compliance auditing platform purpose-built for pharmaceutical and biologic companies.
Developed by The FDA Group in partnership with EPAM Systems, AICA is trained by 15+ FDA and ISO regulatory experts on real-world pharma QMS documentation. Upload your documents, select which regulations to audit against, and get a comprehensive gap analysis of your entire QMS in hours, not days or weeks. Every finding goes through human review before the final report.
See it in action:
AICA currently supports 21 CFR Parts 11, 211, and 600, with additional regulations in active development.
Learn more, read our FAQs, or request a demo at aica.thefdagroup.com.