The validation work, done.
Not just tracked.

Yes. The agent classifies each system per GAMP 5 Second Edition - Category 3 (non-configured COTS), Category 4 (configured), Category 5 (custom developed). Classification drives test depth, supplier assessment scope, and lifecycle artefact requirements. Category 1 (infrastructure) and the supplier/internal split are also handled.

Classification is reviewer-assistive, never autonomous. The agent proposes the category and the reasoning. Your CSV lead confirms, escalates, or overrides. The categorisation decision and rationale are part of the audit trail.

CSA is native. Test scripts are scoped against patient-safety, product-quality, and data-integrity risk - not against a defaults checklist. Low-risk functionality gets unscripted dynamic testing or scripted record-light testing. High-risk functionality gets the full scripted approach with formal evidence capture.

The FDA Draft Guidance "Computer Software Assurance for Production and Quality System Software" (September 2022) is operationalised. ISPE GAMP 5 Second Edition (July 2022) and the ISPE GAMP CSA Concept Paper align here.

Electronic signatures (§11.50, §11.70, §11.100, §11.200). Each signature captures the printed name of the signer, date and time of signing, and the meaning of the signing. Signatures are linked to their records such that they cannot be excised, copied, or transferred. Two-component signing (identification + secret) with biometric option supported.

Audit trails (§11.10(e)). Computer-generated, time-stamped, independent of operator action. Records the operator, the date/time, the action, and the prior value. Tamper-evident at the platform layer.

Record retention (§11.10(c)). Records protected to enable their accurate and ready retrieval throughout the retention period. Configurable retention windows per record class; legal-hold supported.

§4 (Validation). The platform itself is validated as a GAMP 5 Category 4 baseline; site-specific configuration is validated as part of the customer's CSV lifecycle. Validation Summary Report available under MNDA.

§7 (Data storage). Data resides inside your tenant, encrypted at rest with customer-managed keys. Periodic checks for accessibility, readability, and accuracy are scheduled and evidenced.

§9 (Audit trails). Computer-generated, time-sequenced, tamper-evident. Recorded with sufficient detail to reconstruct the sequence of activities. Reviewed continuously - not sampled.

§17 (Archiving). Records archived in a manner that preserves data integrity for the regulatory retention period. Migration controls maintain readability across platform upgrades.

Live. The RTM is not a document - it is a graph. Every requirement (URS), every specification (FS, DS), every test case (IQ, OQ, PQ), every signed record is a node. Every relationship is an edge. The agent maintains the edges continuously as artefacts evolve.

Impact analysis on change is therefore a graph traversal, not a manual audit. When a URS clause changes, the platform tells you exactly which FS items, test cases, and signed records are affected - immediately.

The RTM can be exported as a document for inspection submission. The source of truth is the graph.

The agent owns triage. Your QA owns the decision and the signature.

When a test fails, the agent immediately drafts a deviation record - what failed, what was expected, what was observed, what the immediate impact assessment looks like, what the proposed root cause is (with citations to the URS clause, SOP, and prior CAPAs). The draft is logged in the deviation queue.

The investigator reviews the draft. Adjusts root cause if needed. Approves or rejects the proposed CAPA. The signature is human, attributable, and part of the audit trail. Handoff to your eQMS (TrackWise, Veeva Quality, MasterControl, ETQ) is bi-directional.

Every record passes ALCOA+ checks on every cycle. Not sampled. Reviewed.

Attributable - every action carries the authenticated identity of the actor (human or agent). Legible - records render to the standard your QA uses. Contemporaneous - timestamps are captured at the moment of the action, by a server clock, not the client. Original - the source record is preserved; copies are explicitly marked as such. Accurate - validation checks at write time, audit checks at review time.

The plus-four (Complete, Consistent, Enduring, Available) is enforced as part of the platform's continuous audit pipeline. MHRA's "GxP Data Integrity Guidance and Definitions" (2018), WHO TRS 1019 Annex 5 (2019), and PIC/S PI 041-1 align here.

Both. Retrospective validation is a common entry point. The agent reads the legacy documentation (URS, change control history, prior IQ/OQ/PQ packages, deviation logs), reconstructs the trace graph, identifies gaps against current GAMP 5 expectations, and drafts the remediation evidence pack.

For forward-looking projects the agent runs the full lifecycle from URS to PQ. For legacy systems it reconciles the past and brings it under continuous review going forward.

Bi-directional, validated connectors. Three usage patterns:

Pattern A - Author here, archive there. Validate·AI authors and executes; the existing system of record receives the signed, validated artefact and stores it as the system-of-record copy. Most common pattern with Kneat and ValGenesis customers.

Pattern B - Author there, augment here. The existing system stays the authoring environment; Validate·AI runs deviation triage, RTM maintenance, ALCOA+ audit, and inspection-readiness on top of the records.

Pattern C - Replace the document layer, keep the eQMS. Validate·AI becomes the validation-content layer; deviations, CAPAs, and change controls flow to your eQMS (TrackWise, Veeva Quality, MasterControl, ETQ) as before.

They see three things, on request, in real time:

The narrative. Inspector walkthrough mode generates a guided narrative from your VMP through every system, every deviation, every CAPA - in the language the inspector expects. PMDA-style? FDA-style? MHRA-style? Configurable.

The defence pack. Every action attributable, every record tamper-evident, every decision citable to the SOP clause and the standard. Generated on demand, exported as a regulator-readable package.

The trace graph. Live, queryable, navigable. The inspector can ask "show me the test evidence for URS-014" and get it in two clicks.

Yes, yes, and yes.

The platform is validated as a GAMP 5 Category 4 baseline. Platform validation evidence pack available to qualified prospects under MNDA - includes Validation Plan, Risk Assessment, IQ/OQ summary, Traceability Matrix, and Configuration Management Plan. Site-specific configuration is validated as part of the customer's lifecycle.

The AI model layer is governed under a separate model-governance regime aligned to EU AI Act Articles 12-13, NIST AI RMF, and ICH Q9(R1) risk-based AI lifecycle. Model cards per agent. Change control via signed releases. Drift detection and post-market monitoring engineered in.

All in scope.

Method validation per ICH Q2(R2) (2023). Specificity, linearity, accuracy, precision, range, detection limit, quantitation limit, robustness. Method transfer per USP<1224> with comparative testing, co-validation, or revalidation as appropriate.

Cleaning validation with health-based exposure limits (PDE/ADE) per EMA Q&A on Implementation of Risk-based Prevention of Cross-Contamination, toxicology-driven worst-case limits, and validated cleaning procedures.

Process validation per the FDA 2011 Guidance and EMA equivalent. Stage 1 (process design), Stage 2 (process performance qualification, PPQ), Stage 3 (continued process verification, CPV). ICH Q8/Q9/Q10 aligned.

Yes. ATMP and cell-and-gene have unique validation pressure - personalised batches, vein-to-vein traceability, chain of identity, very tight aseptic envelopes. The platform handles per-batch evidence assembly in line with manufacturing, chain-of-identity and chain-of-custody captured as data not paper, and Annex 1 (2022) aseptic-process alignment.

Annex 1 (2022) contamination control strategy (CCS), pre-use post-sterilisation integrity testing (PUPSIT), media fills, environmental monitoring - all in scope. The agent maintains the CCS as a living artefact across sites, products, and inspection cycles.

The model layer is governed under a documented regime aligned to multiple frameworks:

EU AI Act - high-risk AI system documentation per Articles 12 (record-keeping) and 13 (transparency). Risk management per Article 9. Human oversight per Article 14. Post-market monitoring per Article 72.

NIST AI Risk Management Framework - GOVERN, MAP, MEASURE, MANAGE functions instantiated for each agent.

ICH Q9(R1) - risk-based quality risk management applied to the AI lifecycle. Model cards per agent, signed releases, drift detection, performance monitoring on production data.

ISPE GAMP Good Practice Guide on AI/ML in GxP - qualification envelope for the model layer itself.