Qualitum technical documentation.
A deep, indexable reference for CSV engineers, Heads of Validation, and the regulators they speak to. Compliance frameworks cited by clause. Architecture diagrams. Platform validation evidence pack under MNDA. Integration connector specs. Inspection-readiness case studies.
Start here
If you are a CSV engineer or Head of Validation evaluating Qualitum, the four pages below are the highest-signal places to start. Everything else is here when you need it.
21 CFR Part 11 - full compliance assessment
Sub-part B and sub-part C clause-by-clause. How signatures, audit trails, and record retention work on the platform.
Platform validation evidence pack
GAMP 5 Category 4 baseline. Available to qualified prospects under MNDA. Site-specific configuration validated as part of your CSV lifecycle.
Private deployment topology
Single-tenant VPC on AWS, Azure, on-prem. Air-gapped. Customer-managed keys. Zero egress. EU, US, UAE residency.
Equipment URS-Match methodology
How candidate equipment is scored against your URS for the procurement decision. Auditor-defensible, vendor-neutral.
21 CFR Part 11 - Qualitum compliance assessment
The full Part 11 compliance posture - sub-part B (electronic records, §11.10) and sub-part C (electronic signatures, §11.100, §11.200, §11.300) - addressed clause by clause. This page is the canonical reference for InfoSec, QA, and IT compliance reviewers.
Detailed walkthroughs of §11.10(a) validation, §11.10(c) record retention, §11.10(e) audit trails, and §11.50, §11.70, §11.100, §11.200 signature requirements. Tamper-evident ledger architecture, two-component signing, biometric option, and meaning-of-signing capture. Each clause cited; each implementation traced to the platform mechanism that satisfies it.
Full reference document - 1,800 words, with architecture diagram - available under MNDA. Ask your account team or email hello@qualitum.ai.
EudraLex Annex 11 - clause-by-clause coverage
EudraLex Volume 4, Annex 11 (Computerised Systems) addressed clause by clause. The seventeen clauses with particular focus on §4 (validation), §7 (data storage), §9 (audit trails), and §17 (archiving) which surface most often in inspection findings. Each clause is mapped to a platform mechanism, a configuration option, or a customer-side validation responsibility. Where the agent introduces a new control, the control is mapped to a clause; where the platform inherits a control from the underlying infrastructure (cloud provider, identity provider), the inheritance is documented.
EudraLex Annex 15 - Qualification & Validation
The V-model spine. DQ, IQ, OQ, PQ, FAT, SAT, requalification triggers. Annex 15 (2015) and its relationship to ICH Q8/Q9/Q10 lifecycle thinking. The agentic interpretation of each Annex 15 phase, written for a CSV engineer.
GAMP 5 (Second Edition, 2022) - categorisation and approach
How Qualitum interprets ISPE GAMP 5 Second Edition. Categories 1 through 5, supplier assessment, critical thinking. How agentic outputs are scoped per category. The reasoning trail from URS to test depth.
ICH Q9(R1) - Risk Management
Quality Risk Management per ICH Q9 (R1, January 2023). Critical thinking documentation, formal risk assessment scoping, risk-based validation depth. Risk·AI extends this into a first-class agentic system - the Validate·AI scope of Q9 is preview here.
ALCOA+ - data integrity enforcement
The nine criteria. Attributable, Legible, Contemporaneous, Original, Accurate - plus Complete, Consistent, Enduring, Available. How each is enforced at write time, how each is verified at review time, how drift between the two surfaces as a deviation. Aligned with MHRA GxP Data Integrity Guidance (2018), WHO TRS 1019 Annex 5 (2019), and PIC/S PI 041-1.
FDA Computer Software Assurance (CSA) guidance
FDA Draft Guidance Computer Software Assurance for Production and Quality System Software (September 2022). How Qualitum operationalises CSA - risk-based testing, critical thinking, scripted vs. unscripted dynamic testing, evidence weight by record-of-criticality. The ISPE GAMP CSA Concept Paper alignment.
EU AI Act - high-risk AI system applicability
Articles 9, 12, 13, 14, 17, 72 applied to a high-risk agentic AI system deployed in life sciences manufacturing. Risk management, record-keeping, transparency, human oversight, post-market monitoring. The Qualitum AI model governance regime is documented as the corresponding control.
Equipment URS-Match methodology
Validate·AI scores candidate equipment against your URS. The methodology: requirement decomposition into testable criteria; vendor-spec extraction from OEM data sheets, FDS, and proposal documents; pairwise scoring per criterion with confidence; gap surface; DQ draft generation; auditable reasoning trail per scored item. Procurement decisions stay in your ERP. Technical defensibility lives here, vendor-neutral, no PO data ever leaves the customer perimeter.
Version & jurisdiction tracking
Global pharma operates the same system across countries, sites, and equipment generations - each with its own validated state. The trace graph tracks every variant: which site, which country regulator (FDA, EMA, MHRA, PMDA, ANVISA, CDSCO), which equipment serial, which SOP revision. Periodic review triggers per jurisdiction. Inspection-ready per jurisdiction. No spreadsheets, no parallel matrices.
Platform validation evidence pack
The platform itself is validated as a GAMP 5 Category 4 baseline. Platform validation evidence pack available to qualified prospects under MNDA. Includes Validation Plan, Risk Assessment, IQ/OQ summary, Traceability Matrix, and Configuration Management Plan. Site-specific configuration is validated as part of the customer's CSV lifecycle; the evidence pack is the platform-side input to that work.
Private deployment topology
Single-tenant VPC. The runtime - agentic orchestration, model inference, vector store, retrieval, audit log - runs inside the customer's perimeter on AWS, Azure, or on-prem. Air-gapped deployments supported. Customer-managed encryption keys. Zero egress on every channel: no prompt content, no completions, no embeddings, no telemetry leaves the network.
Data residency - EU, US, UAE
Region-pinned by customer choice. EU residency for GDPR Article 44 transfer restrictions. US residency for HIPAA-adjacent customers. UAE residency for GCC manufacturers. Replication across regions only with explicit customer-signed Data Processing Addendum.
Model architecture - frontier or local
The agentic system is model-agnostic. Frontier models (Claude, GPT, Gemini) via hyperscaler partnerships under enterprise terms with zero data retention. Or local open-weight models (Llama 3, Mistral, customer fine-tunes) on customer GPU infrastructure. Model selection is per workflow, configurable per agent. Retraining on customer data is architecturally disabled.
Identity & access
SAML 2.0, OIDC, SCIM. Native integrations with Okta, Entra ID, Ping Identity. Role-based access enforced at the agent boundary. Privileged access requires customer-side step-up authentication. No service accounts with standing access to customer data.
Audit log architecture
Tamper-evident, append-only ledger. Every agent action, every retrieval, every reasoning step, every signature. Cryptographically chained. Time-stamped by an authoritative clock source, not by the application server. Exportable to customer SIEM (Splunk, Sentinel, Sumo Logic) via standard syslog or webhook.
API reference
REST API for connector ingestion and agent invocation. OAuth 2.0 client-credentials flow for service-to-service calls. SCIM 2.0 for user lifecycle. Webhook outbound for status, signature, and deviation events. Full OpenAPI specification available to customers through the developer portal - issued under MNDA.
This is the public surface. Full documentation - including the platform validation evidence pack, Configuration Management Plan, integration connector specs, and anonymised inspection case studies - is available under MNDA. Email hello@qualitum.ai or book a working session.