Strategy & Concept

Do AI use cases already exist in your organization?

No Yes, but not GxP-relevant Yes, but unclear whether GxP-relevant Yes, clearly GxP-relevant

Has the AI use case been assessed with regard to patient safety, product quality, and data integrity?

No Initial informal assessment Structured risk assessment performed Risk assessment serves as a documented basis for decision-making

Is there a structured process for the evaluation and testing of AI ideas

No Ad‑hoc testing without a formal framework PoC process is defined PoC process is established with defined evaluation criteria and transition into the project phase

Governance & Organization

Are clear responsibilities defined for development, operation, and monitoring of the AI system?

No Implicitly distributed Roles are defined Roles are formally anchored within the governance/QMS framework

Is the use of AI organizationally and procedurally embedded in existing IT, quality, and validation structures?

AI is considered in isolation Initial points of integration exist Partially integrated Fully integrated

Is it defined which level of autonomy the AI system has and where human review is mandatory?

No Informally known Levels of autonomy are defined for the use case Levels of autonomy are documented and human‑in‑the‑loop requirements are operationally implemented

Data & Model Quality

Are the origin, purpose, and quality of the data used for AI traceable?

No Partially known Largely documented Fully documented and traceable

Are data‑ or model‑related risks (e.g. bias, drift) consciously addressed?

Not considered Awareness exists Risks are assessed Monitoring and mitigation measures are defined

Are AI results and decisions critically challenged and validated by subject matter experts (critical thinking)?

No, AI results are accepted as is Occasionally, depending on individuals Systematic review is intended Critical review is integrated into processes and training

Suppliers & Transparency

Is responsibility between suppliers and operators clearly defined and taken into account in operations?

No Partially Contractually regulated Contractually regulated and operationally implemented

Is there sufficient transparency regarding changes to models, data, or AI functions made by suppliers?

No Limited Documented information available Auditable transparency in place

Lifecycle & Operation

Is the AI system considered across its entire lifecycle (not only until go‑live)?

No Partially Documented Operationally implemented

Are performance indicators and monitoring criteria defined for ongoing operation?

No Roughly defined Clearly defined Defined including thresholds and response measures

Are there clear rules defining when adjustments, re‑training, or re‑validation are required?

No Discussed Defined Anchored in SOPs / processes

Is the IT infrastructure suitable for AI operation (e.g. data storage, model versioning, deployment)?

Not assessed Basic infrastructure available AI‑specific requirements have been identified and partially implemented End‑to‑end MLOps / AI infrastructure established

Regulatory & Competence

Are transparency, traceability, and fairness of AI systematically considered?

No Generally considered Assessed Integrated into governance and decision‑making processes

Has the relevance of regulatory requirements (e.g. EU AI Act, GDPR, GxP) for the use of AI been assessed?

No Uncertain Assessed Measures have been derived