Verixa — End-to-End GxP SaaS Lifecycle

URS → Risk & Design → Build → Test → Cloud Release → Validation (IQ/OQ/PQ) → Customer Implementation → Customer Validation → Change Control & Continued Operation  ·  11 phases + 10 deep-dive sub-flows
GAMP 5 Category 5 custom multi-tenant AI eQMS · Computer Software Assurance (risk-based) · Internal Engineering + QA playbook · Every step carries RACI + named evidence artifact + regulation. Skill chain applied: URS Expert → CSV/CSA Expert → Validation Test Architect → Head of QA, with Release & Change Control Manager and Customer Implementation & Validation Enablement Expert.
21 CFR Part 11EU Annex 11EU Annex 22 (Draft AI)EU AI Act 2024/1689FDA CSA (Sep 2025)GAMP 5 Cat 5ALCOA+ICH Q9(R1)/Q10ISO 27001 / SOC 2
Regulatory tag families (color = control domain)
Records & Signatures — Part 11 / Annex 11 Validation Method — GAMP 5 / CSA / ICH Q9·Q10 AI Governance — Annex 22 / EU AI Act / GMLP Data Integrity — ALCOA+ (MHRA / WHO TRS 996) Security & Privacy — ISO 27001 / SOC 2 / GDPR GxP Domain — 21 CFR 211 / ICH E6(R3)
RACI key
RResponsible (does the work) AAccountable (owns the gate / sign-off) CConsulted IInformed
0
Concept, Governance & Validation Planning
Sets the rules every later stage is judged against — system definition, GAMP class, intended use, VMP/VP
Head of QA · Validation Lead
Objective
Establish the system definition, GAMP 5 categorisation (Category 5 — custom), and intended use before any requirement is written. Without this, validation scope is undefendable at inspection.
Author the Validation Master Plan (VMP) and a system-specific Validation Plan (VP) that fix scope, deliverables, roles, risk approach (CSA), acceptance criteria, and the definition of "validated".
Stand up the Quality Management System wrappers: SOPs for SDLC, CSV/CSA, change control, deviation/CAPA, document control, supplier management, periodic review, BCP/DR.
Key activities (detailed)
System inventory entry + GxP determination: does the system create/modify/approve/retain/transmit GxP records? Classify GxP-critical vs GxP-supporting vs non-GxP.
GAMP 5 software category assignment (Cat 5 custom for Verixa core; Cat 3/4 for any COTS/configured components). Drives validation rigour.
Intended Use Statement per module — specific, not "manages quality". Defines records, decisions supported, user population, and AI role (advisory vs deterministic).
Regulatory applicability matrix — confirm which of Part 11, Annex 11, Annex 22, EU AI Act, FDA CSA, ICH E6(R3), 21 CFR 211 apply per module and market.
CSA strategy — declare the risk-based assurance approach (scripted vs unscripted vs automated vs leveraged supplier evidence) so test effort tracks risk, per FDA CSA.
Roles & training matrix, document control numbering, and the traceability strategy (RTM owner, tooling) established now and maintained through every later phase.
RACI
ActivityRACI
VMP / Validation PlanRValidation LeadAHead of QACSV/CSA Lead, Reg AffairsEng Lead, Product
GAMP 5 / GxP classificationRCSV/CSA LeadAHead of QAProduct OwnerEngineering
Intended Use StatementsRProduct OwnerAHead of QAAI Governance, SMEEng, Test
QMS / SOP frameworkRQAAHead of QAAll function leadsAll staff
Evidence / deliverables produced
Validation Master Plan (VMP)Approved, version-controlled
System-specific Validation Plan (VP)Scope, CSA approach, acceptance
Intended Use StatementsPer module, with AI role
GxP Assessment & GAMP category recordCat 5 justification
Regulatory Applicability MatrixPer module / market
SDLC + CSV/CSA SOPsControlled procedures
Exit gate: VMP + VP approved and signed by Head of QA; GxP classification locked; intended use baselined. No requirements work proceeds until the VP defines how it will be validated.
📋 Governing SOPs:VRX-SOP-001VRX-SOP-005VRX-SOP-006VRX-SOP-007VRX-SOP-008VRX-SOP-009
GAMP 5 (Cat 5)FDA CSA — Sep 2025ICH Q9(R1) QRMEU Annex 11 §1 (Risk Mgmt)21 CFR 11.10(a) — system validationEU AI Act Art.9 (risk mgmt — if high-risk)
1
User Requirements Specification (URS)
What the system must do, in atomic testable requirements — the spine of the RTM
Product Owner · Business SME
Objective
Capture user requirements as atomic, uniquely-numbered, testable statements covering functional, workflow-state, data/record, audit trail, e-signature, role/permission, AI governance, reporting/export, integration, performance, and security/privacy needs.
Every URS line becomes a traceability anchor — it must flow to design → test → evidence with no orphans.
Key activities (detailed)
Process mapping with business SMEs for each eQMS workflow (e.g. Deviation → RCA → CAPA, Change Control, Complaint, Audit/Finding, Batch/OOS where GMP).
Requirement authoring — atomic ("the system shall…"), testable, no vague verbs. Each tagged with GxP domain (GCP/GVP/GMP/GDP/GLP/GDocP) and criticality.
Records & audit trail requirements — for every regulated record define create/modify/delete/approve/retrieve events, before/after capture, reason-for-change, retention.
E-signature requirements — signature meaning, authority, manifestation in UI and export, record-signature binding.
AI requirements — intended use, advisory-vs-deterministic label, human-in-the-loop points, model/prompt versioning, citation/explainability, confidence handling, audit logging of inputs/outputs/overrides.
Acceptance criteria per requirement so the Test Architect can design pass/fail tests.
CSV/CSA URS review — independent quality check for atomicity, testability, coverage gaps, and traceability readiness; defects logged and resolved.
RACI
ActivityRACI
Author URSRProduct Owner / BAAHead of QABusiness SME, Eng Lead, AI GovTest, DevOps
URS quality reviewRCSV/CSA LeadAHead of QAData Integrity SMEProduct
Approve / baseline URSRQAAHead of QAReg AffairsAll
Evidence / deliverables
Approved URSAtomic, numbered, testable
URS review / defect logIssues resolved before baseline
RTM (initialised)URS IDs seeded; maintained downstream
Process / workflow mapsSME-validated
Exit gate: URS approved & baselined; every requirement atomic + testable + acceptance-criteria'd; RTM initialised with no orphan high-risk requirements.
📋 Governing SOPs:VRX-SOP-101VRX-SOP-106
GAMP 5 — URS as Cat 5 spec21 CFR 11.10(a)/(e)EU Annex 11 §4 (specifications)ALCOA+ (record reqs)EU Annex 22 — AI intended useICH E6(R3) / 21 CFR 211 (domain)
2
Risk Assessment & GxP Impact Assessment
The CSA engine — decides how much assurance each function needs before any test is written
CSV/CSA Lead · QRM
Objective
Run function-level risk assessment (severity × probability × detectability) per ICH Q9(R1) to set assurance rigour. This is the engine of Computer Software Assurance — high-risk functions get strong scripted evidence; low-risk get justified lighter assurance.
Confirm GxP impact and the EU AI Act / Annex 22 risk classification for every AI function (high-risk vs limited-risk).
Key activities (detailed)
Function decomposition from URS; for each, identify failure modes and GxP/patient-safety/data-integrity impact.
Risk scoring → High / Medium / Low with documented rationale and the control that mitigates it.
CSA test-strategy mapping — assign assurance method per function (scripted / unscripted / automated / supplier-evidence / review-only) with rationale.
AI risk classification — batch/OOS/deviation/CAPA prediction → High-Risk (EU AI Act Annex III); copilot/analytics → Limited-Risk transparency. Confirm prohibition: no generative/probabilistic AI in critical GMP decisions (Annex 22).
Data integrity risk — ALCOA+ exposure per record class; identify where audit trail / e-sig / retention controls are mandatory.
RACI
ActivityRACI
Function risk assessmentRCSV/CSA LeadAHead of QASME, Eng Lead, DI SMEProduct
AI risk classificationRAI Governance LeadAHead of QAReg Affairs, LegalEng
CSA test-strategyRCSV/CSA LeadAHead of QATest ArchitectDevOps
Evidence / deliverables
Risk Assessment ReportFunction-level, scored, rationalised
GxP Impact AssessmentCritical / supporting / non-GxP
CSA Test StrategyAssurance method per function
AI Risk ClassificationEU AI Act / Annex 22 tiering
Exit gate: every URS function has a risk level + assurance method; AI functions classified; no high-risk function left without a planned control and test approach.
📋 Governing SOPs:VRX-SOP-007VRX-SOP-008VRX-SOP-201VRX-SOP-501
ICH Q9(R1) QRMFDA CSA — risk-based assuranceGAMP 5 — risk-based testingEU AI Act Art.6 + Annex IIIEU Annex 22 — AI criticalityMHRA DI — risk to ALCOA+
3
Functional & Design Specification + Architecture
FRS / SDS / config spec + secure multi-tenant cloud architecture — traces every URS to a design
Eng Lead · Architect
Objective
Translate URS into Functional Requirements Spec (FRS), Software/System Design Spec (SDS), data model, API contracts, audit-event model, and configuration spec — each mapped back to URS IDs.
Design the secure multi-tenant architecture: tenant isolation (RLS), RBAC, audit-trail substrate, e-signature service, encryption, and AI module boundaries.
Key activities (detailed)
FRS — functional behaviour, workflow state machines, business rules, field validation, notifications, error handling.
SDS / architecture — services, schema, tenant-isolation model (Row-Level Security + TDAL), API design, observability, audit-event catalogue (create/modify/delete/approve/export with before/after + reason).
Part 11 / Annex 11 design controls — audit trail as append-only & non-modifiable; e-signature manifestation + record binding; time source (server UTC, TIMESTAMPTZ); retention/archival design.
AI design — advisory output segregation (AI never writes to GxP-critical fields without human e-sign); model registry; prompt template version control; ai_requests/llm_audit_log design; HITL gates & confidence-threshold escalation.
Security/privacy by design — authn/MFA, authorization, encryption at rest/in transit, key management, PII/PHI handling, data-residency, subprocessor map.
Architecture Decision Records (ADRs) + design review; RTM updated URS→FRS→SDS.
RACI
ActivityRACI
FRS / SDS / ADRsREng Lead / ArchitectAEng LeadCSV/CSA, DI SME, SecurityQA, Product
Part 11 / DI design controlsRData Integrity SMEAHead of QAArchitectTest
AI architecture & governance hooksRAI Governance LeadAHead of QAArchitect, SecurityProduct
Design review & RTM updateRCSV/CSA LeadAEng LeadQAAll
Evidence / deliverables
FRS + SDSMapped to URS
Architecture / ADRsTenant isolation, audit, e-sig
Audit-event & e-signature designPart 11 / Annex 11 controls
AI design + model registry specAnnex 22 / EU AI Act hooks
Security/privacy designThreat model, data flow
RTM (URS→FRS→SDS)No orphan requirements
Exit gate: design reviewed & approved; every URS traced to FRS/SDS; Part 11, DI, AI-governance, and security controls explicitly designed (not deferred). Design baseline frozen for build.
📋 Governing SOPs:VRX-SOP-102VRX-SOP-103VRX-SOP-104VRX-SOP-309
GAMP 5 — design spec21 CFR 11.10(c)(d)(e)EU Annex 11 §4·§5·§12ALCOA+ by designEU Annex 22 — model/data governanceEU AI Act Art.10·13·14ISO 27001 A.8 / SOC 2 / GDPR Art.25
4
SaaS Application Build (Secure SDLC)
Coding against GxP standards — audit trail, RLS, type-safety, AI segregation on every mutation
Engineering · DevSecOps
Objective
Implement the design under a controlled, version-managed, secure SDLC where every line is audit-inspectable and every regulated mutation carries audit trail, attribution, and tenant isolation.
Key activities (detailed)
Source control & branching — protected main, PR-based, every change traceable to a requirement/ticket; commit standards.
Coding standards (GxP) — audit trail on every INSERT/UPDATE/DELETE; created_by/updated_by attribution; server-generated UTC timestamps; RLS + tenant-scoped data access on every query; zero any types; no dead code; parameterised SQL.
AI implementation guardrails — AI output flagged advisory; never written to GxP-critical fields without human e-sign; model/prompt versions + inputs/outputs/overrides logged to audit tables; no LLM in critical GMP modules.
Peer code review — security, correctness, performance, audit-trail coverage, RLS coverage, type-safety verified before merge.
Static analysis & SCA — SAST, dependency/vulnerability scanning, secrets scanning, license checks in the pipeline.
Configuration management — config-as-code, environment parity, feature-flag governance for regulated workflows.
Unit tests written alongside code (happy path, validation failure, permission denied, not-found, tenant isolation, audit-trail verification) — same commit, not a follow-up.
RACI
ActivityRACI
ImplementationREngineersAEng LeadArchitect, DI SMEQA
Code reviewRSenior Eng (peer)AEng LeadSecurityQA
AI guardrail implementationREngineersAAI Governance LeadCSV/CSAHead of QA
Pipeline security gatesRDevSecOpsASecurity LeadEng LeadQA
Evidence / deliverables
Source code + commit historyTraceable to requirements
Code review recordsApproved PRs
Unit test suite + resultsPer-service coverage
SAST / SCA / secrets scan reportsVulnerabilities triaged
Configuration baselineConfig-as-code, flags
RTM (→ code/build)Design→implementation link
Exit gate: code merged only after review + green pipeline (build, lint, type-check, unit tests, security scans); audit-trail & RLS coverage verified; AI segregation enforced. Build artefact versioned & reproducible.
📋 Governing SOPs:VRX-SOP-103VRX-SOP-104VRX-SOP-105
GAMP 5 — Cat 5 build & config21 CFR 11.10(a)(e) — validated, audit trailALCOA+ (attributable, contemporaneous)EU Annex 22 — AI change/audit loggingGMLP PrinciplesISO 27001 secure SDLC / SOC 2 CC8
5
Testing & Verification (risk-based)
Unit → integration → system → UAT, plus DI / audit-trail / e-sig / AI / security tests scaled to risk
Test Architect · QA Testers
Objective
Prove the system meets the URS through a risk-proportionate test campaign. The CSA Test Strategy from Phase 2 dictates depth: scripted pre-approved protocols for high-risk; exploratory/automated for lower-risk.
Key activities (detailed)
Test design by Test Architect — each test case linked to URS + risk, with preconditions, data, steps, defined expected result, and evidence to capture.
Test layers — unit (done in build) → integration/API → system/functional → regression → performance/load → UAT with business SMEs.
Scenario coverage — happy, alternate, negative, boundary, role/permission, concurrency/stale-data, integration timeout, error handling.
Data integrity tests — audit trail completeness (every event, before/after, reason), tamper-resistance, append-only, retention/retrieval.
E-signature tests — success, failed auth, unauthorized signer, record-changed-after-sign, manifestation in UI & export, signature meaning & binding.
AI assurance tests — HITL enforced, advisory labelling, model/prompt version logging, citation/explainability present, low-confidence escalation, override audit, prohibition of autonomous critical decisions.
Security testing — authz/tenant-isolation tests, OWASP, and an independent penetration test; vulnerabilities triaged.
Defect & deviation management — root cause, impact, retest; no critical defect left open without QA risk decision; results captured as ALCOA+ evidence.
RACI
ActivityRACI
Test design & protocolsRTest ArchitectAHead of QACSV/CSA, DI SME, AI GovEng
Test execution & evidenceRQA TestersATest ArchitectEng (fixes)Product
Penetration testRSecurity / 3rd-partyASecurity LeadDevSecOpsHead of QA
Defect/deviation dispositionRQAAHead of QAEng LeadProduct
Evidence / deliverables
Approved test protocolsScripted for high-risk
Executed test evidencePass/fail, screenshots, logs
Defect & deviation logResolved or risk-accepted
Pen-test & security reportFindings triaged
Performance/load resultsAgainst criteria
RTM (→ test cases & results)High-risk URS directly tested
Exit gate: all planned tests executed; high-risk functions directly evidenced; DI/audit/e-sig/AI/security tests passed; deviations resolved or formally risk-accepted; RTM shows no orphan high-risk requirement or test.
📋 Governing SOPs:VRX-SOP-201VRX-SOP-202VRX-SOP-204VRX-SOP-205VRX-SOP-206VRX-SOP-207
GAMP 5 — verificationFDA CSA — risk-based testing21 CFR 11.10(e)/(g)/(h) audit, authority, device checksEU Annex 11 §5·§9·§14ALCOA+ test evidenceAnnex 22 — AI test-data independenceISO 27001 A.8.29 / SOC 2 pen test
Decision Gate A — Test exit / readiness for release engineering
Pass
All risk-based tests evidenced, deviations closed → proceed to release engineering.
Pass with conditions
Minor open items risk-accepted by QA with documented rationale + tracked actions.
Fail
Open critical/high defect or DI/e-sig/AI gap → back to Build (Phase 4). No release.
6
Production Release to Cloud (Release Engineering & Deployment)
CI/CD promotion, infrastructure qualification, controlled deployment, rollback & monitoring
Release Mgr · DevOps/SRE
Objective
Promote the validated build to the qualified production cloud environment under formal change control, with rollback, monitoring, and a complete release evidence index — without bypassing QA disposition.
Key activities (detailed)
Cloud / infrastructure qualification — qualify the IaaS/PaaS (regions, network, IAM, encryption, backup) and leverage supplier evidence (SOC 2 Type II, ISO 27001, pen-test summary) under a supplier qualification + quality agreement.
Change record for the release — scope, classification, impact assessment, validation impact, regression scope, rollback, customer-notification decision (Release & Change Control Manager).
CI/CD promotion — immutable versioned artefact promoted Dev→Stage→Prod; environment parity; infrastructure-as-code; deployment plan + maintenance window.
Deployment controls — blue/green or canary; database migration plan with idempotent, reversible, audited migrations; feature-flag state confirmed and change-controlled.
Rollback plan — trigger conditions, owner, technical steps, data/audit/e-sig impact, AI model/prompt rollback, communication; tested where material.
Production monitoring & observability — error rate, audit-event failures, e-sig failures, AI output errors, integration failures, security events, with defined thresholds & owners.
Release notes drafted; deployment evidence captured (version, time, who, result).
RACI
ActivityRACI
Release/change recordRRelease ManagerAHead of QACSV/CSA, Eng LeadProduct, CS
Cloud qualification & supplier evidenceRDevOps/SREAQA / Supplier QualitySecurityHead of QA
Deployment & migrationRDevOps/SREARelease ManagerDBA, EngQA
Rollback & monitoring setupRSREAEng LeadSecurityHead of QA
Evidence / deliverables
Approved change/release recordClassified, impact-assessed
Cloud/infra qualification + supplier packSOC 2 / ISO 27001
Deployment evidenceVersion, time, result
Migration execution + reconciliationIf data migrated
Rollback plan (tested)Recovery readiness
Monitoring config + release notesThresholds, owners
Exit gate (Release Readiness): change classified & impact-assessed; cloud qualified; deployment + rollback + monitoring ready; release evidence indexed; Release Manager prepares the Head of QA handoff — but does NOT approve release.
📋 Governing SOPs:VRX-SOP-301VRX-SOP-303VRX-SOP-305VRX-SOP-306
GAMP 5 — IQ / qualificationEU Annex 11 §4.4·§7·§10 (continuity, change)21 CFR 11.10(a)(d)ALCOA+ (enduring, available)Annex 22 — AI deployment controlISO 27001 / SOC 2 — supplier & cloud
7
Validation — IQ / OQ / PQ & QA Release Disposition
Formal qualification in the production environment, RTM closure, VSR, and the QA release decision
Validation Lead · Head of QA
Objective
Demonstrate, with approved evidence, that the system is installed correctly, operates per spec, and performs in the production environment for its intended use — then obtain the formal QA release disposition. This is where "validated" is earned.
Key activities (detailed)
Installation Qualification (IQ) — verify the production deployment, configuration baseline, environment, integrations, and access controls are installed as designed.
Operational Qualification (OQ) — verify functions operate per FRS across the risk-based test set in the qualified environment (workflows, audit trail, e-sig, RBAC, AI HITL, reports/exports, negative/boundary).
Performance Qualification (PQ) — verify the system performs for intended use under representative conditions/data, often with business SMEs; confirm DI controls hold end-to-end.
RTM closure — every URS → risk → design → test → evidence; no orphans; every deviation traced to resolution; every high-risk & AI & Part 11 function traced to verification evidence.
Validation Summary Report (VSR) — system/version, intended use, scope, risk summary, test summary, deviations, open defects with risk, traceability status, supplier evidence used, Part 11/Annex 11/AI status, residual risk, limitations, QA conclusion.
QA release disposition — Head of QA reviews the VSR + release-control pack and issues the disposition. Only authorised humans approve; AI does not.
RACI
ActivityRACI
IQ / OQ / PQ executionRValidation Lead / TestAHead of QAEng, DevOps, SMEProduct
RTM closureRCSV/CSA LeadAHead of QATest ArchitectEng
VSR authoringRValidation LeadAHead of QACSV/CSA, Reg AffairsProduct
Release dispositionRHead of QAAHead of QAReg AffairsAll
Evidence / deliverables
IQ / OQ / PQ protocols + executed evidenceSigned
Closed RTMFull bidirectional traceability
Validation Summary Report (VSR)QA conclusion on fitness
Deviation closure recordsResolved / risk-accepted
QA Release DispositionSigned release decision
Validation package indexInspection-ready
Exit gate: IQ/OQ/PQ passed; RTM closed; VSR concludes fit for intended use (or with conditions); Head of QA signs the release disposition. System is now validated for the stated scope & version.
📋 Governing SOPs:VRX-SOP-202VRX-SOP-203VRX-SOP-307
GAMP 5 — IQ/OQ/PQFDA CSA — assurance conclusion21 CFR 11.10(a) — validationEU Annex 11 §4 — validationALCOA+ — full recordEU AI Act Art.43 conformity (if high-risk)Annex 22 — AI acceptance criteria
8
Customer Implementation & Onboarding
Tenant setup, configuration, shared-responsibility, migration, integration, training — enable, don't certify
Implementation Lead · Customer Success
Objective
Stand up the customer's tenant and configuration, define the shared responsibility split, and equip the customer's QA to validate their intended use. Verixa provides evidence that may support customer validation — it never certifies customer compliance.
Key activities (detailed)
Implementation plan + customer intended use — modules in scope, GxP processes, version, go-live target, validation owner, customer QA owner.
Shared Responsibility Matrix — who owns intended use, SOP alignment, configuration approval, role assignment, training, validation execution, UAT, migration approval, AI oversight, periodic review.
Tenant & configuration setup — roles/permissions, approval workflows, e-signature config, audit-trail enabled & reviewable, notifications, reports/exports, AI feature enable/disable, feature flags confirmed, security settings.
Data migration (if in scope) — source→target mapping, transformation rules, test migration, reconciliation, exception handling, customer approval. DI controls owned by DI SME; validation impact by CSV/CSA.
Integration onboarding — API auth, mapping, error/retry, test environment, customer-side validation responsibility, security review.
Customer Validation Support Pack — system overview, shared-responsibility matrix, supplier qualification pack, VSR/release notes, URS/RA/RTM templates, Part 11/Annex 11 control matrix, audit-trail & e-sig descriptions, AI governance evidence, DI matrix, security/privacy summary, known limitations.
Training — admin, end-user, QA approver, e-signature, audit-trail review, AI feature; training records owned by customer.
RACI
ActivityRACI
Implementation plan & tenant setupRImplementation LeadACustomer Success LeadCustomer QA, DevOpsHead of QA
Shared responsibility matrixRImplementation LeadAHead of QACustomer QA, LegalCustomer admin
Validation support packRCSV/CSA LeadAHead of QADI SME, AI Gov, SecurityCustomer QA
Migration & integrationRImplementation / EngACustomer QA (approval)DI SME, SecurityHead of QA
Evidence / deliverables
Implementation planScope, owners, timeline
Shared Responsibility MatrixVerixa vs customer
Approved tenant configurationCustomer-signed
Customer Validation Support PackEvidence index
Migration reconciliationIf applicable
Training recordsCustomer-owned
Exit gate: tenant configured & customer-approved; shared responsibility agreed; validation support pack delivered; migration reconciled; training ready. Implementation readiness handed to customer QA — no customer-compliance claim made by Verixa.
📋 Governing SOPs:VRX-SOP-906VRX-SOP-309VRX-SOP-912
GAMP 5 — leveraged supplier evidenceEU Annex 11 §3 (supplier), §4.5 (supplier audit)21 CFR 11.10(d) access controlsALCOA+ (migration integrity)EU AI Act — deployer obligationsDPA / GDPR / SOC 2 customer evidence
9
Customer Validation & Go-Live
Customer-side UAT/PQ against their intended use, customer VSR, go-live readiness, hypercare
Customer QA · Implementation Lead
Objective
The customer validates the configured system against their intended use, SOPs, and risk assessment — leveraging Verixa's evidence — and their QA approves go-live. Verixa supports and coordinates; the customer's QA owns the validation approval.
Key activities (detailed)
Customer validation plan — customer authors/approves their VP, URS, risk assessment, and RTM using Verixa templates; defines what they leverage vs test themselves (CSA leveraging).
Customer UAT / PQ — business users execute scripts against their configured workflows & data; defects and (if validation) deviations managed; ALCOA+ evidence captured.
Configuration & SOP verification — confirm tenant config matches approved design; SOPs aligned to system behaviour; roles correctly assigned.
Go-Live Readiness Gate — intended use defined; config approved; training complete; UAT/validation status known; open defects reviewed; migration reconciled; integrations tested; AI governance reviewed; DI & security evidence in place; Verixa release version QA-approved.
Customer VSR + go-live approval — customer QA signs. Verixa Head of QA confirms Verixa's quality position only.
Hypercare — defined support channel, escalation path, GxP/AI/security escalation, duration, and lessons-learned review before steady-state support handoff.
RACI
ActivityRACI
Customer validation executionRCustomer validation teamACustomer QAVerixa Implementation, CSV/CSAVerixa Head of QA
Go-live readiness assessmentRImplementation LeadACustomer QAVerixa Head of QACustomer Success
Customer go-live approvalRCustomer QAACustomer QACustomer Reg AffairsVerixa
HypercareRVerixa Support / ImplACustomer Success LeadEng, QACustomer admin
Evidence / deliverables
Customer VP / URS / RA / RTMCustomer-owned
Customer UAT/PQ evidenceExecuted, signed
Go-Live Readiness checklistAll gates passed
Customer VSR + go-live approvalCustomer QA signed
Hypercare planChannels, escalation, duration
Exit gate (Go-Live): customer QA approves go-live against their intended use; hypercare active. System in regulated production use at the customer. Verixa asserts only that its evidence may support the customer's validation.
📋 Governing SOPs:VRX-SOP-907VRX-SOP-911VRX-SOP-912
GAMP 5 — customer validation (leveraged)21 CFR Part 11 — operational controlsEU Annex 11 §11 periodic, §16 incidentALCOA+ in productionEU AI Act Art.26 deployer useICH E6(R3) / 21 CFR 211 (customer GxP)
10
Change Control & Continued Operation (Validated State Maintenance)
Every future change re-enters the lifecycle — classify, impact-assess, route, re-validate, QA-dispose
Release & Change Control Mgr · Head of QA
Objective
Keep the system in a validated state for its operating life. Every change — feature, fix, config, AI model/prompt, supplier/cloud, security — is controlled, impact-assessed, re-validated to the extent of its risk, and QA-disposed. Uncontrolled SaaS change is the failure mode this phase exists to stop.
Key activities (detailed)
Change intake & classification — administrative / cosmetic / standard / normal GxP-supporting / major GxP-impacting / critical / emergency / AI change / supplier-cloud change. Classification sets minimum control.
Impact assessment matrix — intended use, GxP process, URS, workflow state, regulated record, audit trail, e-sig, role/permission, report/export, integration, AI model/prompt/retrieval, validation package, security/privacy, supplier/cloud, customer commitment, SOP/training.
Routing to specialist owners — validation impact → CSV/CSA; record/audit/e-sig → Data Integrity; AI → AI Governance; security/privacy → Security; supplier/cloud → Supplier Quality. "Unknown impact ≠ no impact."
Regression scope — targeted, risk-based; full regression when shared high-risk components change; detailed cases by Test Architect.
AI change control — model swap, version, system/prompt template, retrieval corpus, threshold, automation authority — each requires AI governance review + validation impact + regression before release; prohibition on autonomous critical GMP decisions re-confirmed.
Emergency change — compress sequence, never remove control; mandatory retrospective QA review + CAPA assessment.
Re-validation & re-release — affected IQ/OQ/PQ re-executed; VSR addendum; Head of QA re-disposes; customer notification decision; deploy with rollback & monitoring (loops back through Phases 5–7, and 9 if customer-impacting).
Periodic review — confirm intended use current, access appropriate, config controlled, audit trails complete, backup/restore effective, incidents/deviations/CAPA reviewed, AI monitoring & drift current, validation state maintained.
Continued operation controls — incident/deviation/CAPA, BCP/DR & backup-restore testing (RTO/RPO), AI drift & performance monitoring, supplier re-qualification, and eventual decommissioning with data retention/migration/archival per Part 11 retention.
RACI
ActivityRACI
Change intake / classification / impactRRelease & Change Control MgrAHead of QACSV/CSA, DI, AI Gov, SecurityProduct, CS
Re-validationRValidation LeadAHead of QATest ArchitectEng
Periodic reviewRCSV/CSA LeadAHead of QADI, AI Gov, SecurityProduct
BCP/DR & monitoringRSRE / SecurityAHead of QADevOpsCustomer Success
Change QA dispositionRHead of QAAHead of QAReg AffairsAll
Evidence / deliverables
Change records (classified)Impact-assessed, routed
Re-validation evidence + VSR addendaPer change
Regression resultsRisk-scoped
Periodic review reportsValidated-state confirmation
BCP/DR test recordsRTO/RPO evidenced
Deviation / CAPA / incident recordsClosed-loop
Customer notifications + release notesWhere impacting
Decommissioning & data retention planEnd-of-life
Operating rule: no production change reaches users without classification + impact assessment + specialist routing + risk-based re-validation + Head of QA disposition. Periodic review confirms the validated state is maintained between changes.
📋 Governing SOPs:VRX-SOP-302VRX-SOP-304VRX-SOP-307VRX-SOP-308VRX-SOP-909
GAMP 5 — operation & periodic reviewEU Annex 11 §10 change, §11 periodic, §16 incident, §7 data21 CFR 11.10(a)(c)(e) retentionALCOA+ enduring/available; MHRA DIEU Annex 22 — AI change & drift; EU AI Act Art.72 post-marketISO 27001 — continuity, monitoringICH Q10 — CAPA / continual improvement

Deep-Dive Sub-Flow — GxP Data Migration & Integration Validation

The strict, evidence-first procedure for any time regulated records, audit trails, e-signatures, attachments, linked records, AI-source documents, customer tenant data, reports/exports, or integration payloads move between systems. Was a sub-bullet in Phases 6 & 8 — here it is in full.
Plugs into: Phase 3 (integration design) · Phase 6 (release/cutover) · Phases 8–9 (customer migration & UAT) · Phase 10 (any future schema/API/data change). Triggers: legacy data load, tenant migration, ETL, import/export, API/interface, data sync, cutover/rollback, reconciliation.
Ownership rule for this sub-flow: the Migration & Integration Validation function recommends readiness and assembles evidence — it does not approve. Final migration execution approval = Head of QA (QA risk acceptance) + Release & Change Control Manager (cutover/release). Data-integrity adequacy → DI Expert; security/privacy → Security Expert; supplier/ETL tooling → Supplier Quality; detailed test scripts → Test Architect. Missing evidence is marked Unknown — evidence required and blocks readiness.
↑ Main-flow phases:Phase 3Phase 6Phase 8Phase 9Phase 10
M1
Migration Scope & Evidence Map
Define exactly what data moves, from where, to where, why, and who owns it — before any mapping
Migration Validation Lead
Key activities (detailed)
Scope definition — tenant, environment, module, record types & counts, date range, lifecycle status, user/role population, attachments, linked records, audit trails, e-signatures, metadata, reports/exports, AI-source documents, controlled docs, training/CAPA/deviation/change/audit/supplier/complaint records, reference/master data, integration payload history.
Explicit exclusions — every excluded/archived item needs exclusion reason + business-owner approval + GxP impact + retention/retrieval evidence. No silent drops.
Source & target identity — exact system names + versions + owners; migration tool/method/ETL workflow; migration environment; approved change record & validation plan reference.
Evidence map — for each area (scope, schemas, mapping, transformation, cleansing, audit trail, e-sig, metadata, attachments, links, AI-source, reports, reconciliation, exceptions, cutover, rollback, integration, security, supplier): Confirmed / Partial / Unknown, with the gap stated. Anything unverified = Unknown — evidence required.
Migration risk assessment — score across GxP impact, record criticality, integrity, auditability, process continuity, customer impact, security/privacy, supplier dependency, reversibility, detectability → High / Medium / Low.
RACI
ActivityRA (approval)CI
Scope & evidence mapRMigration Validation LeadAHead of QACSV/CSA, DI SME, ArchitectRelease Mgr, Customer QA
Migration risk assessmentRMigration Validation LeadAHead of QACSV/CSA, SecurityProduct
Evidence / deliverables
Approved migration scopeIn/out-of-scope + exclusions
Evidence mapConfirmed / Partial / Unknown per area
Migration risk assessment10-dimension, risk-leveled
Source/target system + version recordWith owners
Hard stop: if scope, source/target system, or schema is missing → cannot proceed. Mark Unknown — evidence required.
📋 Governing SOPs:VRX-SOP-406
GAMP 5 — data migrationEU Annex 11 §4.8 (migration)ALCOA+ / MHRA DI (data transfer)ICH Q9(R1) risk
M2
Source-to-Target Field Mapping
Field-level mapping — never "same as source" without proof
Migration Lead · Eng
Key activities (detailed)
Field-level mapping table — source system/object/field/type/constraints → target system/object/field/type/constraints, with mapping type (direct / transformed / derived / defaulted / excluded / archived), transformation & cleansing rule IDs, acceptance criteria, reconciliation method, evidence reference, owner.
Coverage check — required, optional, system-generated fields; legacy IDs vs new target IDs; record ownership, status, lifecycle & approval states; document version; effective/expiry/due dates; CAPA/deviation/change/audit/supplier/complaint relationships; attachment, audit-trail, e-signature, and AI-source-document references; report/export fields.
Anti-assumption rule — "same as source" is rejected unless field-level evidence proves it; API behaviour is never inferred from field/endpoint names.
RACI
ActivityRACI
Field-level mappingRMigration Lead / EngAHead of QAArchitect, DI SME, SMETest Architect
Evidence / deliverables
Source-to-target mapping specField-level, approved
Source & target data dictionaries/schemasEvidence-backed
📋 Governing SOPs:VRX-SOP-406
EU Annex 11 §4.8 / §5 (accuracy checks)ALCOA+ (accurate, complete)GAMP 5 — mapping spec
M3
Transformation & Cleansing Rules
Explicit, controlled, auditable — cleansing that changes regulated meaning needs approval
Migration Lead · Business Owner
Key activities (detailed)
Transformation rules — rule ID, rationale, logic, valid range, invalid/null handling, date-time/time-zone, unit conversion, controlled-vocabulary & status & role/user mapping, legacy-ID retention, target-ID generation, rounding/precision, duplicate handling, auditability, test-evidence & owner-approval requirement.
High-risk transformations flagged — status/approval-state changes, signature-meaning changes, date-time/time-zone conversion, role/user mapping, linked-record remapping, attachment reassociation, vocabulary normalization, AI-source provenance, version-history handling — anything that touches regulatory meaning.
Cleansing rules controlled — defect addressed, source condition, proposed correction, whether regulated meaning changes, business-owner approval, QA review trigger, before/after value evidence, auditability, reconciliation impact, retest, exception linkage. Cleansing is never "admin cleanup" if meaning can change.
RACI
ActivityRACI
Transformation rulesRMigration Lead / EngAHead of QADI SME, SMETest Architect
Cleansing rule approvalRBusiness Data OwnerAHead of QADI SMEMigration Lead
Evidence / deliverables
Approved transformation rule setPer-rule, testable
Approved cleansing rule setBefore/after evidence
Hard stop: transformed fields without rules, or corrected data without controlled cleansing rules → Unknown — evidence required; readiness blocked.
📋 Governing SOPs:VRX-SOP-406
EU Annex 11 §5 (accuracy checks)ALCOA+ (original, accurate); MHRA DI21 CFR 11.10(e) — change auditabilityAnnex 22 — AI-source provenance
M4
Audit Trail / E-Signature / Metadata + Attachments & Linked Records
Preserve or controlled-archive the things that carry regulatory meaning
Data Integrity SME
Key activities (detailed)
Audit trail — preserve who/what/when, previous & new value, reason, record context, original-source reference, plus migration-execution metadata (operator, timestamp, rule applied, exception history). If history isn't migrated → controlled archive strategy + retrieval procedure + target-record link + retention justification + QA (and customer) approval.
E-signature — preserve signer identity, date/time, meaning, reason, version signed, sequence, record linkage, source reference. If not migrated as active signatures → controlled archive + meaning preservation + retrieval method + legal/counsel handoff if admissibility is in question.
Metadata — created/modified by & date, owner, lifecycle state, version, effective/expiry dates, approval & training status, tenant ID, source/legacy/target IDs, migration batch ID & status. Defaulted/regenerated metadata = Unknown — evidence required until rule evidence exists.
Attachments — inventory with name/type/size/checksum-hash, source & target & version linkage, access restriction, retention, malware-scan evidence, failed/corrupted/duplicate handling, reconciliation. No attachment migration accepted without content/hash verification where feasible.
Linked records — preserve CAPA↔deviation/complaint/change, deviation↔investigation, finding↔CAPA, supplier↔qualification, training↔document, change↔impacted docs, AI-source↔output, report↔source set. Broken links are high-risk unless proven non-GxP.
RACI
ActivityRA (adequacy)CI
Preservation requirementsRMigration LeadAData Integrity SMECSV/CSA, Legal (e-sig)Head of QA
Attachment / link reconciliationRMigration Lead / EngAData Integrity SMEArchitectHead of QA
Evidence / deliverables
Audit-trail / e-sig / metadata handling specMigrate or archive
Attachment inventory + hash recordsContent-verified
Linked-record preservation evidenceNo orphans
Handoff: final ALCOA+ / Part 11 / Annex 11 data-integrity adequacy is owned by the Data Integrity Expert — this sub-flow defines the requirements, not the adequacy verdict.
📋 Governing SOPs:VRX-SOP-406VRX-SOP-401VRX-SOP-402VRX-SOP-403VRX-SOP-405
21 CFR 11.10(b)(c)(e) copies/retention/auditEU Annex 11 §7·§9·§12·§14ALCOA+ (all 9); MHRA DIAnnex 22 — AI-source linkage
M5
Mock / Test Migration (Dry Run)
Rehearse on production-representative data in a controlled environment — mock ≠ approval
Migration Lead · Test Architect
Key activities (detailed)
Test data design — normal, boundary, invalid, incomplete, duplicate, historical, active-workflow, closed/approved records; records with attachments, signatures, audit history, linked records, AI-source documents; multi-tenant where applicable.
Test coverage — unit-level mapping, transformation-rule, cleansing-rule, batch & incremental, negative, exception, reconciliation, attachment, linked-record, audit-trail, e-sig, metadata, report/export parity, user/role mapping, tenant-isolation, integration-payload, rollback, cutover-rehearsal tests. (Detailed protocols authored by Test Architect.)
Execution logging — version-controlled scripts/tools; log start/end, source extract, target load, transformation outputs, exceptions, reconciliation results, performance/timing, rollback-rehearsal result, defects; confirm retest after corrections + business-owner & QA review.
Discipline — "mock migration passed" is never stated unless actual acceptance criteria were met with evidence; absence of errors ≠ success.
RACI
ActivityRACI
Mock migration executionRMigration Lead / EngAHead of QATest Architect, DI SME, SMERelease Mgr
Detailed test protocolsRTest ArchitectAHead of QAMigration LeadEng
Evidence / deliverables
Mock migration execution logsStart/end, extract, load
Defect records + retest evidencePost-correction
Performance/timing recordCutover-window sizing
📋 Governing SOPs:VRX-SOP-406VRX-SOP-207
GAMP 5 — test migrationFDA CSA — risk-based testALCOA+ test evidenceEU Annex 11 §4.8 (migration checks)
M6
Reconciliation (5 Levels — never row counts alone)
Population → Field → Relationship → Functional → Integrity
Migration Lead · DI SME
The five reconciliation layers (detailed)
L1 — Population: source vs target counts, plus excluded / failed / duplicate / archived / exception counts reconciled.
L2 — Field: required, critical, transformed, and derived field matches; defaulted-field review; controlled-vocabulary mapping verified.
L3 — Relationship: parent-child, record↔attachment, record↔signature, record↔audit-trail, record↔training, record↔CAPA/deviation/change/audit/supplier/complaint, and AI-source-document links intact.
L4 — Functional: search works, record opens, workflow state displays correctly, reports/exports match expected source data, permissions apply, active-workflow records remain actionable, historical records retrievable.
L5 — Integrity: attachment hash/checksum (where feasible), audit-trail sequence intact or archived, signature meaning preserved or archived, metadata preserved/controlled, tenant boundary intact.
Rule: any unreconciled high-risk item is a readiness blocker unless explicitly accepted by Head of QA. Row counts alone are never accepted as reconciliation.
RACI
ActivityRACI
Reconciliation executionRMigration LeadAHead of QADI SME, SME, EngRelease Mgr, Customer QA
Evidence / deliverables
5-level reconciliation resultsSigned, gaps flagged
Unreconciled-item registerWith QA disposition
📋 Governing SOPs:VRX-SOP-406
EU Annex 11 §4.8·§5 (no alteration in value/meaning)ALCOA+ (complete, consistent, accurate)21 CFR 11.10(b) accurate copies
M7
Exception Handling & Defect Disposition
Every exception logged, severity-rated, root-caused, corrected, retested, closed
Migration Lead · QA
Key activities (detailed)
Exception record — ID, detection source, date/time, source & target record IDs, data object, field/payload element, type, severity, GxP impact, root cause, correction, owner, QA review trigger, retest evidence, closure evidence, residual risk, handoff.
Severity (not downgradable without evidence)Critical: data loss, corrupted regulated record, signature/audit-trail failure, tenant-boundary breach, unrecoverable error. Major: incorrect critical field, broken regulated-record link, missing attachment, invalid workflow state, repeated integration failure. Minor: display/format with no regulated meaning. Informational: observation, no verified GxP impact.
Defect taxonomy — scope / mapping / transformation / cleansing / integrity / audit-trail / e-signature / attachment / linked-record / AI-source / report-export / tenant / API-schema / integration-behavior / security-privacy / evidence / cutover / rollback defects — each with severity, GxP impact, owner, correction, retest & closure evidence.
RACI
ActivityRA (disposition)CI
Exception logging & correctionRMigration Lead / EngAHead of QADI SME, Security, Supplier QualityRelease Mgr
Evidence / deliverables
Exception log + closure evidenceRoot cause, retest
Residual-risk registerFor Head of QA acceptance
Hard stop: open critical defects, or open major defects without QA-reviewed disposition, block readiness. Repeated integration failures may trigger a deviation/CAPA.
📋 Governing SOPs:VRX-SOP-406VRX-SOP-901
21 CFR 11.10(e) audit of correctionsALCOA+ (attributable, original)ICH Q10 — CAPA on failuresEU Annex 11 §16 incident mgmt
M8
Cutover & Rollback
Controlled production switchover with a real, tested recovery path
Release & Change Control Mgr
Key activities (detailed)
Cutover plan — approved change record, migration window, freeze period, source lock/read-only timing, final extract & reconciliation timing, business/QA/customer/security checkpoints, supplier availability, engineering support, defect-triage bridge, go/no-go criteria, communication plan, production access control, post-cutover monitoring, hypercare period, rollback trigger, evidence-capture owner.
Rollback plan — trigger, decision owner, time limit, data restore point, backup evidence, source restart, target rollback method, partial-rollback & in-flight transaction & integration-queue handling, user/customer comms, post-cutover-data handling, audit-trail impact, post-rollback reconciliation & validation evidence, security/supplier impact, QA review, change-record linkage.
Discipline — rollback is never just "restore backup": restore scope, timing, data-loss risk, and verification evidence must be defined and rehearsed.
RACI
ActivityRA (approval)CI
Cutover plan & go/no-goRMigration LeadARelease & Change Control Mgr + Head of QADevOps, DI SME, Customer QACustomer Success
Rollback readinessRSRE / EngARelease & Change Control MgrBCP/DR, SecurityHead of QA
Evidence / deliverables
Approved cutover planGo/no-go criteria
Tested rollback planRestore verified
Production execution + monitoring logsPost-cutover
Handoff: cutover/release approval is owned by the Release & Change Control Manager (+ Head of QA QA-risk acceptance); backup/restore feasibility is corroborated by the BCP/DR function. This sub-flow provides the cutover/rollback input.
📋 Governing SOPs:VRX-SOP-406VRX-SOP-301VRX-SOP-306
EU Annex 11 §4.4·§7·§16 (continuity)21 CFR 11.10(c) record protectionALCOA+ (enduring, available)ISO 27001 — backup/continuity
M9
Integration Inventory + API / Interface Validation + Error Handling
For data exchanged between systems — contract-verified, never name-inferred
Migration Lead · Eng · Security
Key activities (detailed)
Integration inventory — per interface: ID, name, business purpose, GxP impact, source/target, middleware, data objects, payload schema, trigger, frequency, direction, auth, authorization, error handling, retry, monitoring, logging, owner, supplier dependency, validation evidence.
API/interface validation expectations — contract & endpoint & schema verification; required/optional field & data-type & controlled-vocabulary validation; authentication, authorization, tenant isolation; rate-limit, timeout, retry, duplicate-request, idempotency; error codes & message clarity; logging, monitoring, alerting; payload retention & confidentiality; audit-trail generation; service-account control; version & backward compatibility; failure recovery; boundary & invalid payloads; partial success/failure. (Test scripts → Test Architect.)
Integration error handling — detection, classification, logging, alerting, retry & limits, dead-letter queue, manual correction, duplicate prevention, partial-failure & payload-quarantine handling, correction approval, reprocessing control, audit-trail generation, user/customer notification, supplier escalation, CAPA/deviation trigger criteria, monitoring dashboard, evidence retention.
Anti-assumption rule — API behaviour requires contract evidence; never inferred from endpoint names.
RACI
ActivityRACI
Integration inventory & expectationsRMigration Lead / EngAHead of QAArchitect, Security, Supplier QualityRelease Mgr
API test scriptsRTest ArchitectAHead of QAEngMigration Lead
Evidence / deliverables
Integration inventoryPer-interface, GxP-classified
API contracts + payload schemasEvidence-backed
Error-handling & monitoring specRetry, alerting, quarantine
Handoff: API payload security / tenant-data exposure → Security & Privacy Expert; ETL tools / API gateways / middleware / managed DBs / AI providers → Supplier Quality Expert.
📋 Governing SOPs:VRX-SOP-407
21 CFR 11.10(d) access; EU Annex 11 §5·§12ALCOA+ (consistent, complete)ISO 27001 / SOC 2 / GDPR — payload & tenantAnnex 22 — AI payload provenance
Readiness Gate M — Migration/Integration go/no-go recommendation
Ready to proceed
All gates Pass; reconciliation complete; exceptions closed → recommend to Head of QA + Release Mgr for approval.
Conditionally ready
Listed blockers with closure plan; Head of QA accepts residual risk in writing.
Not ready / Unknown
Any high-risk Unknown, open critical defect, or unreconciled high-risk item → blocked. No cutover.
M10
Evidence Pack, Final Position & Owner Approval
Assemble the inspection-ready pack; this function recommends — Head of QA + Release Mgr approve
Migration Lead → Head of QA
Key activities (detailed)
Evidence pack structure — change record, scope, GxP impact, source/target evidence, data dictionaries/schemas, mapping, transformation & cleansing rules, scripts/tools version, API contracts, payload schemas, test strategy, mock-migration evidence & logs, reconciliation plan & results, exception log & closures, retest evidence, attachment & linked-record reconciliation, audit-trail/e-sig/metadata evidence, report/export parity, security/privacy & supplier evidence (or handoff), cutover & rollback plans, go/no-go recommendation, production logs, post-cutover monitoring, open issues, residual-risk summary, handoff log.
Final Position — readiness (Ready / Conditionally ready / Not ready / Unknown); evidence sufficiency; and explicit "not owned by this skill" rows pointing DI adequacy → DI Expert, validation strategy → CSV/CSA, detailed protocols → Test Architect, QA risk → Head of QA, security → Security Expert, supplier → Supplier Quality, release/cutover → Release Mgr, audit pack → Audit Readiness, legal → Counsel.
Owner approval — Head of QA accepts residual QA risk; Release & Change Control Manager approves the cutover/release. Only then does production migration execute. Loops back to Phase 9 (customer reconciliation evidence) and Phase 10 (change record closure).
RACI
ActivityRA (approval)CI
Evidence pack & final positionRMigration Validation LeadAHead of QACSV/CSA, Audit ReadinessRelease Mgr
Cutover/release approvalRRelease & Change Control MgrAHead of QA + Release MgrCustomer QA (if customer data)All
Evidence / deliverables
Migration/Integration Evidence PackInspection-ready index
Final Position tableReadiness + handoffs
QA risk acceptance + cutover approvalSigned by owners
Post-cutover monitoring + close-outInto change record
Operating rule: this function never writes "approved", "validated", "migration passed", or "compliant". It recommends readiness; Head of QA + Release & Change Control Manager approve. Customer-data migrations also require the customer's QA acceptance.
📋 Governing SOPs:VRX-SOP-406VRX-SOP-407VRX-SOP-203
GAMP 5 — migration report21 CFR Part 11 — records & retentionEU Annex 11 §4.8·§10·§11ALCOA+ — full evidenceISO 27001 / SOC 2 — supplier & security

Deep-Dive Sub-Flow — AI Validation & Governance

Runs across every phase for Mira copilot, prediction engine, AI scoring/classification, and the model registry. The control set that keeps generative/probabilistic AI out of critical GMP decisions and advisory AI off the system-of-record.
Plugs into: Phase 1 (AI requirements) · Phase 2 (AI risk class) · Phase 3 (AI design) · Phase 4 (AI guardrails) · Phase 5 (AI assurance tests) · Phase 10 (AI change control). Owner: AI Governance Lead; adequacy verdict by AI Validation & Governance Expert; final QA by Head of QA.
Hard regulatory boundary: only static, deterministic AI in critical GMP decisions (batch release, OOS, CAPA disposition). Generative AI/LLMs/probabilistic models are prohibited there (EU/PIC-S Annex 22). Copilot/analytics = advisory, never written to GxP-critical fields without human e-signature.
↑ Main-flow phases:Phase 1Phase 2Phase 3Phase 4Phase 5Phase 10
AI-1
AI Intended Use, Classification & Model Registry
Declare what each AI function does, its risk tier, and register it before deployment
AI Governance Lead
Key activities
Intended Use Statement per AI function — purpose, user population, performance thresholds (precision/recall/F1), advisory-vs-deterministic label.
EU AI Act classification — batch/OOS/deviation/CAPA prediction → High-Risk (Annex III); copilot/analytics/trend → Limited-Risk transparency. FDA CSA process-risk tiering in parallel.
Model registry entry — model name, version, provider, intended use, risk class, acceptance criteria, training/test data lineage — registered before any use.
Annex 22 criticality — confirm whether the AI touches patient safety / product quality / data integrity in GMP; if critical, only static deterministic models permitted.
RACI
ActivityRACI
AI intended use & classificationRAI Governance LeadAHead of QAReg Affairs, Legal, CSV/CSAEng, Product
Model registryRAI/ML EngAAI Governance LeadCSV/CSAHead of QA
Evidence
AI Intended Use StatementsPer function, thresholds
EU AI Act / Annex 22 classificationHigh vs limited risk
Model registry recordVersion, provider, criteria
📋 Governing SOPs:VRX-SOP-501
EU AI Act Art.6 + Annex IIIEU Annex 22 — intended use & criticalityGMLP Principle 1FDA AI Draft Jan 2025
AI-2
Training-Data Governance, Explainability & HITL Design
Data lineage, no black boxes in quality-critical paths, human-in-the-loop gates
AI Governance Lead · DI SME
Key activities
Training-data governance — source, quality, representativeness, version control; training and test data kept separate (Annex 22 §5.3); bias testing across site/product-line/submitter role before deployment.
Explainability — every prediction surfaced to a user returns a structured explanation (feature importance / contributing factors / confidence), not a raw score. No black-box models in quality-critical paths.
HITL gates — AI output → human review → e-signature → action; confidence below the configured threshold auto-escalates to quality_lead+. No silent low-confidence passes.
Advisory segregation — AI suggestions visually labelled "AI-generated — requires human review"; never written to complaints.root_cause, deviations.investigation_conclusion, capas.action_description, batch_records.disposition without human confirmation.
RACI
ActivityRACI
Training-data & bias governanceRAI/ML EngAAI Governance LeadDI SME, CSV/CSAHead of QA
HITL & explainability designRAI Governance LeadAHead of QAArchitect, ProductEng
Evidence
Training-data lineage + bias reportTrain/test separation
Explainability spec + samplesPer prediction type
HITL gate configConfidence thresholds, escalation
📋 Governing SOPs:VRX-SOP-503VRX-SOP-504VRX-SOP-506
EU AI Act Art.10·13·14EU Annex 22 §5·§6·§7GMLP Principles 4·5·721 CFR 11 — e-sig on AI-accepted decision
AI-3
AI Audit Logging, Drift Monitoring & AI Change Control
Full traceability of inputs/outputs/overrides; revalidate on drift; control every model/prompt change
AI Governance Lead · MLOps
Key activities
AI audit logai_requests/llm_audit_log capture model name+version, prompt/input hash, output, confidence, timestamp, triggering user, and accept/reject/modify outcome. Human-accepted outputs attributed to the human, not the model.
Drift & performance monitoring — production tracking via prediction_log/ai_scoring_results; accuracy below acceptance threshold raises a dashboard_alert and flags the model for revalidation.
AI change control — model swap, version bump, system/prompt-template change, retrieval-corpus change, threshold/parameter change, automation-authority change each require AI governance review + validation-impact + regression + Head of QA disposition. Prompt templates are version-controlled, never hardcoded inline.
Periodic revalidation — frequency by model risk level; revalidation evidence stored alongside the model version.
RACI
ActivityRACI
AI audit logging & monitoringRMLOpsAAI Governance LeadDI SME, EngHead of QA
AI change control dispositionRAI Governance LeadAHead of QACSV/CSA, Release MgrProduct
Evidence
AI audit log recordsInputs/outputs/overrides
Drift monitoring + alertsAcceptance thresholds
AI change records + revalidationPer model version
📋 Governing SOPs:VRX-SOP-502VRX-SOP-505
EU Annex 22 §5·§8 (monitoring, change)EU AI Act Art.72 post-marketGMLP Principles 6·9·1021 CFR 11.10(e) AI audit trail
AI-4
AI Knowledge-Base / RAG Source Governance
Only approved, current, traceable sources drive Mira RAG — with source-to-answer traceability and tenant-source isolation
AI Governance Lead · RAG Source Steward
Key activities
Source eligibility & approval — only approved, owned, current sources are RAG-eligible; draft / obsolete / superseded sources excluded; public web content is not treated as controlled evidence.
Provenance & freshness — every source carries origin, owner, version, effective/review date. A current source file does not prove a current index — re-index evidence required.
Chunk / index & source-to-answer traceability — every chunk traces to source ID + version + section; every answer traces query → retrieval → source version → chunk → citation. No untraceable regulated answer.
Citation governance — citations link to the exact approved source version; no fabricated, obsolete, or draft citations; source-supported answer distinguished from model synthesis.
Tenant source isolation — customer-specific sources are never retrievable cross-tenant; role/tenant retrieval filters enforced.
Source update / re-index / retirement under change control; conflicting / missing / obsolete-source handling rules defined.
RACI
ActivityRA (adequacy)CI
RAG source governanceRAI Gov Lead / RAG StewardAAI Validation & Governance ExpertDI SME, Security, Reg IntelligenceHead of QA
Evidence
Source inventory + eligibility logApproved / excluded
Source-to-answer traceabilityVersion + chunk + citation
Re-index / retirement recordsIndex currency
Handoff: final AI governance adequacy → AI Validation & Governance Expert; tenant-source isolation → Security & Privacy Expert; controlled-document lifecycle → Document Control. This stage defines source governance, not AI adequacy.
📋 Governing SOPs:VRX-SOP-506VRX-SOP-501
EU Annex 22 — source & data governanceEU AI Act Art.10·13GMLPALCOA+ (traceable, original)21 CFR Part 11 — records
AI-5
Agentic AI Governance — Agent Registry, Qualification & Panel / DRT
For Verixa's multi-agent workflows: every agent registered & qualified; panel deliberations, dissent and decision-record-trails evidenced; HITL escalation governed
AI Governance Lead · Agentic Workflow Owner
Key activities
Agent registry & qualification — every agent (role, version, tool access, intended use) is registered and qualified before use; qualification records link to intended use and validation evidence.
Panel sessions & deliberation evidence — multi-agent panel sessions, deliberations and routing are recorded; agent participation and review touchpoints are traceable.
Dissent / conflict & DRT documents — dissent and conflict records captured; Decision-Record-Trail (DRT) documents link each agentic decision to its evidence, requirement, risk, and change record.
Escalation & HITL — agentic decisions affecting regulated records escalate to human review + e-signature; no autonomous critical GMP decision; HITL linkage governed.
Linkage & audit — agentic workflow evidence links to requirement, risk, change, validation, deviation/CAPA and audit trail; full traceability of agent inputs / outputs / human overrides.
Validation scenario inputs — agent qualification, panel routing, dissent capture, escalation, DRT linkage, tenant/study boundary (detailed protocols → Test Architect).
RACI
ActivityRA (adequacy)CI
Agentic governance & agent registryRAgentic Workflow OwnerAAI Validation & Governance ExpertHITL/E-sig SME, Architect, DI SMEHead of QA
Evidence
Agent registry + qualification recordsPer agent / version
Panel / deliberation & dissent recordsRouting traceable
DRT documents + escalation evidenceDecision-to-evidence trail
Handoff: AI governance adequacy → AI Validation & Governance Expert; human decision workflow & e-signature → HITL / E-Signature Decision Workflow SME; agent architecture → Product / Engineering Architect.
📋 Governing SOPs:VRX-SOP-501VRX-SOP-502VRX-SOP-504
EU AI Act Art.14 (human oversight)EU Annex 22 — AI controlGMLP 721 CFR Part 11 — e-sig & recordsALCOA+ (traceable)
AI-6
AI Provider / LLM Gateway Assurance
Every model call routed, controlled and logged — provider config, fallback, token handling, provider-change control
AI Governance Lead · Platform Eng
Key activities
Gateway & provider configuration — model endpoints, provider/model version pinning, and routing under configuration control; no untracked provider/model in a regulated path.
Rate limits, token handling & logging — request/response logging to the AI audit trail; controls on what data is placed in prompts; rate-limit & quota behavior defined.
Fallback & failover — defined behavior when a provider/model is unavailable or degraded; no silent provider substitution in regulated decisions.
Provider change control — provider swap, model version, endpoint or terms change → AI governance + supplier + validation impact + regression before release.
Supplier & privacy dependency — AI provider qualification and data-processing terms (→ Supplier Quality, Security & Privacy).
RACI
ActivityRACI
Provider / gateway assuranceRAI Gov Lead / Platform EngAAI Validation & Governance ExpertSupplier Quality, Security, Release MgrHead of QA
Evidence
Gateway config baselineEndpoints, version pins
Provider logs + fallback testFailover evidenced
Provider-change recordsImpact-assessed
AI governance adequacy → AI Validation & Governance Expert; provider qualification → Supplier Quality Expert; data-processing/privacy → Security & Privacy Expert.
📋 Governing SOPs:VRX-SOP-502VRX-SOP-701VRX-SOP-506
EU Annex 22 — AI controlEU AI Act Art.10·15EU Annex 11 §3 · 11.10(e)ISO 27001 / SOC 2 — provider
AI-7
Human-in-the-Loop / E-Signature Decision Workflow
Decision gates where AI / agent output requires human review & e-signature before any regulated action
HITL / E-Signature SME · QA
Key activities
Decision gates — defined points where AI/agent output must be human-reviewed before action; gate configuration is controlled.
Escalation paths & authority — review routing, reviewer authority, and low-confidence/critical escalation recorded as review events.
E-signature linkage — the human decision is e-signed and bound to the AI output and the regulated record (Part 11 meaning, identity, manifestation).
Decision evidence — who / what / when / why captured for every gated decision; AI recommendation, human decision and override reason logged.
Hard rule — no autonomous critical GMP decision; AI never writes to a GxP-critical field without the human e-signature.
RACI
ActivityRACI
HITL / e-signature decision workflowRHITL/E-sig SMEAHead of QADI SME, AI Gov LeadReg Affairs
Evidence
Decision-gate configurationControlled
Signed decision recordsAI→human→e-sig binding
Override / escalation logReason captured
Final QA risk acceptance → Head of QA; data-integrity adequacy of the signed record → Data Integrity Expert; AI governance adequacy → AI Validation & Governance Expert.
📋 Governing SOPs:VRX-SOP-403VRX-SOP-504VRX-SOP-501
EU AI Act Art.14 (human oversight)21 CFR 11.50/11.70/11.100/11.200EU Annex 11 §14 (e-sig)GMLP 7

Deep-Dive Sub-Flow — Data Integrity, 21 CFR Part 11 & EU Annex 11

The ALCOA+ control spine: audit trail, electronic signatures, access control, and retention/archival on every regulated record across the whole lifecycle.
Plugs into: Phases 3–7 (design→validation), 8–9 (customer), 10 (change). Owner: Data Integrity SME; final adequacy verdict by Data Integrity / Part 11 / Annex 11 Expert; QA by Head of QA.
↑ Main-flow phases:Phase 3Phase 4Phase 5Phase 6Phase 7Phase 10
DI-1
ALCOA+ Record Controls & Audit Trail
Attributable, contemporaneous, original, accurate — append-only audit trail on every mutation
Data Integrity SME
Key activities
ALCOA+ controls — attribution (created_by/updated_by from authenticated user), server-generated UTC timestamps, original-record preservation (versioning/soft-delete, no hard delete of GxP records), legibility, completeness, consistency, enduring & available storage.
Audit trail — every INSERT/UPDATE/DELETE logged with tenant, user, action, resource, before/after field-level diff, reason; append-only and non-modifiable by any application user incl. platform_admin; captures the meaning of the change, not just raw values.
Audit-trail review — defined review process & cadence; export & inspector retrieval verified.
RACI
ActivityRA (adequacy)CI
ALCOA+ & audit-trail controlsREngineersAData Integrity SMEArchitect, CSV/CSAHead of QA
Evidence
Audit-trail design + test evidenceAppend-only, before/after
ALCOA+ control matrixPer record class
📋 Governing SOPs:VRX-SOP-401VRX-SOP-402
21 CFR 11.10(a)(c)(e)EU Annex 11 §9 (audit trails)ALCOA+ (all 9); MHRA DI 2018; WHO TRS 996
DI-2
Electronic Signatures & Access Control
Signature meaning, record binding, manifestation; RBAC and least privilege
Data Integrity SME · Security
Key activities
E-signature controls — signature meaning & reason, signer identity + authority, date/time, record-signature binding, manifestation in UI and export; record-changed-after-sign detection; Part 11 §11.100/§11.200 verified.
Access control — authentication (MFA where required), role-based authorization checked on every route before business logic, least privilege, role hierarchy never granted upward, segregation of duties (creator ≠ approver).
Tenant isolation — RLS on every table; tenant-scoped data access enforced; cross-tenant access only via explicitly named, documented platform context.
RACI
ActivityRACI
E-signature controlsREngineersAData Integrity SMELegal (meaning), SecurityHead of QA
Access control / RLSREngineersASecurity LeadDI SMEHead of QA
Evidence
E-signature design + test evidenceMeaning, binding, manifestation
RBAC + RLS test evidenceTenant isolation proven
📋 Governing SOPs:VRX-SOP-403VRX-SOP-404VRX-SOP-605
21 CFR 11.10(d)(g) · 11.50 · 11.70 · 11.100 · 11.200EU Annex 11 §12 (security) · §14 (e-sig)ISO 27001 A.5/A.8
DI-3
Retention, Archival & Inspector Retrieval
Durable, retrievable, true-copy records for the full retention period
Data Integrity SME · DevOps
Key activities
Retention — record + metadata + audit trail retained per regulatory/contractual period; soft-deleted records remain audit-accessible.
Archival — true-copy archival strategy; readability over time; format/migration controls for long-term records.
Inspector retrieval — controlled export/print, signature manifestation in output, reproducible reports, large-dataset retrieval, time-zone handling verified.
RACI
ActivityRACI
Retention & archivalRDevOps / EngAData Integrity SMECSV/CSA, LegalHead of QA
Evidence
Retention/archival policy + evidencePeriod, true-copy
Export/retrieval test evidenceInspector-ready
📋 Governing SOPs:VRX-SOP-405VRX-SOP-308
21 CFR 11.10(b)(c) copies & retentionEU Annex 11 §7·§8·§17ALCOA+ (enduring, available)

Deep-Dive Sub-Flow — Security & Privacy

Protects the confidentiality, integrity, and availability of regulated and personal data — secure SDLC, tenant isolation, encryption, vulnerability management, and privacy/DPA.
Plugs into: Phase 3 (security by design) · Phase 4 (secure SDLC) · Phase 5 (pen test) · Phase 6 (cloud) · Phases 8–10 (customer & change). Owner: Security Lead; privacy by DPO/Counsel.
↑ Main-flow phases:Phase 3Phase 4Phase 5Phase 6Phase 8Phase 9Phase 10
SEC-1
Secure SDLC, Encryption & Tenant Isolation
Security built in, not bolted on
Security Lead · DevSecOps
Key activities
Secure SDLC — threat modelling, secure coding standards, SAST/DAST/SCA, secrets scanning, dependency & license control in the pipeline.
Encryption & key management — at rest and in transit (TLS), key rotation, no hardcoded secrets, secrets vaulting.
Tenant isolation & authn/authz — RLS, least privilege, MFA, session control, privileged-access controls and admin-activity logging.
RACI
ActivityRACI
Secure SDLC & encryptionRDevSecOpsASecurity LeadArchitect, DI SMEHead of QA
Evidence
Threat model + secure-SDLC evidenceSAST/DAST/SCA
Encryption & key-mgmt recordsAt rest/in transit
📋 Governing SOPs:VRX-SOP-601VRX-SOP-103VRX-SOP-404
ISO 27001 A.8 / SOC 2 CC6·CC7·CC8EU Annex 11 §12 (security)21 CFR 11.10(d) access
SEC-2
Vulnerability Management, Pen Test & Incident Response
Find, triage, fix, monitor — and have a tested response plan
Security Lead
Key activities
Vulnerability management — continuous scanning, severity-based SLAs, patch management, dependency CVE tracking.
Penetration testing — independent pen test per release cycle / major change; tenant-isolation & OWASP coverage; findings triaged and retested.
Security incident response — detection, logging/monitoring (SIEM), defined IR plan, breach assessment & notification, and link to deviation/CAPA where GxP-impacting.
RACI
ActivityRACI
Vuln mgmt & pen testRSecurity / 3rd-partyASecurity LeadDevSecOpsHead of QA
Incident responseRSecurity / SREASecurity LeadQA, LegalCustomer Success
Evidence
Vuln scan + remediation recordsSLA-tracked
Pen-test reportFindings retested
IR plan + incident recordsBreach assessment
📋 Governing SOPs:VRX-SOP-602VRX-SOP-603VRX-SOP-905
ISO 27001 A.8.8·A.8.29 / SOC 2 CC7EU Annex 11 §16 (incident)
SEC-3
Privacy, Data Protection & DPA
PII/PHI handling, data residency, subprocessors, cross-border transfer
DPO · Legal/Privacy Counsel
Key activities
Privacy by design — data minimisation, purpose limitation, PII/PHI classification, retention & deletion controls, no sensitive data in logs.
Data Processing Agreement (DPA) — controller/processor roles, subprocessor map & flow-down, audit rights, breach notification terms.
Cross-border transfer & residency — transfer mechanism, data-residency commitments, customer-specific privacy requirements (India + US + EU markets).
RACI
ActivityRACI
Privacy controls & DPARDPOALegal/Privacy CounselSecurity, Customer SuccessHead of QA
Evidence
Privacy assessment (DPIA)PII/PHI mapped
Signed DPA + subprocessor listPer customer
📋 Governing SOPs:VRX-SOP-604
GDPR Art.25·28·32·44+ / DPDP Act (India) / HIPAA (where applicable)SOC 2 — Privacy / Confidentiality
SEC-4
Periodic Access Review & Privileged Access Governance
User/role certification, privileged & service accounts, break-glass, joiner-mover-leaver, segregation of duties, tenant boundaries
Security Lead · Access Review Owner
Key activities
Periodic access certification — defined scope, reviewer authority, retain / modify / revoke decision per user & account, exceptions logged and closed. A calendar invite or meeting note is not evidence.
Privileged & admin access — admin / superuser / DBA / cloud / DevOps / IAM / AI-admin accounts inventoried, justified, approved, MFA-protected, session-logged, and periodically reviewed.
Service accounts & API tokens — owner, purpose, scope, expiry, rotation, revocation; no orphaned or never-expiring tokens; tokens revoked when the owner leaves.
Break-glass / emergency access — time-bound, approved, logged, post-use reviewed, with an incident/deviation trigger.
Joiner-Mover-Leaver — provisioning approved; mover's old access removed; leaver revoked with deactivation evidence (terminated user must not remain active).
Segregation of duties & tenant boundaries — no create+approve of the same record, no self-approval of access, no audit-trail-config + audit-trail-review in one role; cross-tenant access is high-risk.
RACI
ActivityRA (adequacy)CI
Access review & privileged governanceRAccess Review OwnerASecurity LeadDI SME, Head of QA, Supplier Quality (IdP/SSO)Reg Affairs
Evidence
Access certification recordsDecisions + closure
Privileged + service-account/token inventoryOwner, scope, expiry
Break-glass & JML evidence + SoD reviewRevocation proven
Handoff: security/privacy adequacy → Security & Privacy Expert; data-integrity adequacy of record-altering privilege → Data Integrity Expert; final QA risk acceptance → Head of QA.
📋 Governing SOPs:VRX-SOP-605VRX-SOP-404
21 CFR 11.10(d)(g)EU Annex 11 §12ALCOA+ (attributable, accountable)ISO 27001 A.5.15–A.5.18ICH Q9(R1) risk

Deep-Dive Sub-Flow — Supplier & Cloud (SaaS Vendor) Qualification

Verixa runs on third parties — IaaS/PaaS, AI model providers, subprocessors, ETL/middleware. Their evidence can be leveraged, but only after qualification under a quality agreement.
Plugs into: Phase 6 (cloud qualification) · Phases 8–9 (customer-shared supplier pack) · Phase 10 (supplier change). Owner: Supplier Quality Expert.
↑ Main-flow phases:Phase 6Phase 8Phase 9Phase 10
SUP-1
Supplier Risk & Qualification
Classify criticality, qualify, and put a quality agreement in place
Supplier Quality · Procurement
Key activities
Supplier inventory & risk classification — cloud/hosting, AI/model provider, auth provider, email/notification, monitoring/logging, backup/DR, ETL/middleware, subprocessors — each GxP-impact rated.
Qualification & evidence review — SOC 2 Type II, ISO 27001, pen-test summary, SDLC evidence, cloud-architecture evidence, AI-provider evidence; QA assesses adequacy (claims not accepted at face value).
Quality / data-processing agreement — responsibilities, validation-pack rights, change & incident notification obligations, audit rights, SLAs.
RACI
ActivityRACI
Supplier qualificationRSupplier QualityAHead of QASecurity, Legal, CSV/CSAProcurement
Evidence
Supplier register + risk ratingGxP-impact classified
Qualification pack (SOC2/ISO/pen-test)QA-assessed
Signed quality/data agreementNotification obligations
📋 Governing SOPs:VRX-SOP-701VRX-SOP-303
EU Annex 11 §3·§4.5 (supplier & audit)GAMP 5 — supplier assessment / leveragingISO 27001 A.5.19–A.5.22 / SOC 2
SUP-2
Ongoing Supplier Oversight & Change/Incident Notification
Qualification isn't one-and-done — monitor, re-qualify, and react to supplier change
Supplier Quality
Key activities
Periodic re-qualification — annual SOC 2 / ISO refresh, performance & SLA review, supplier CAPA tracking.
Change notification handling — supplier-initiated changes (cloud region, model provider, subprocessor) routed into Verixa change control + AI/security/validation impact assessment.
Incident notification handling — supplier incidents/breaches assessed for Verixa & customer impact; escalation and customer-notification decision.
RACI
ActivityRACI
Supplier oversightRSupplier QualityAHead of QASecurity, Release Mgr, AI GovCustomer Success
Evidence
Periodic re-qualification recordsSLA & CAPA review
Supplier change/incident logImpact-assessed
📋 Governing SOPs:VRX-SOP-702
EU Annex 11 §3·§10 (supplier & change)ICH Q10 — outsourced activitiesSOC 2 — vendor monitoring

Deep-Dive Sub-Flow — Business Continuity, Disaster Recovery & Backup/Restore

Regulated records must stay available. RTO/RPO, backups, and tested restores are validation evidence, not just IT hygiene.
Plugs into: Phase 6 (cloud/infra) · Phase 7 (validation) · Phase 10 (periodic DR test). Owner: BCP/DR function + SRE; QA by Head of QA.
↑ Main-flow phases:Phase 6Phase 7Phase 10
DR-1
RTO/RPO, Backup & Restore Testing
Define objectives, back up regulated records, and prove restore works
SRE · BCP/DR
Key activities
RTO/RPO definition — recovery time & point objectives per regulated record class, agreed with QA and reflected in customer commitments.
Backup strategy — scope (records + metadata + audit trail + attachments), frequency, encryption, geo-redundancy, immutability/retention.
Restore testingperiodic, evidenced restore tests proving data + audit trail + signatures recover intact within RTO/RPO; absence of a tested restore = not a validated continuity control.
RACI
ActivityRACI
RTO/RPO, backup, restore testRSRE / BCP-DRAHead of QADI SME, SecurityCustomer Success
Evidence
RTO/RPO + backup policyPer record class
Restore test recordsAudit trail recovered
📋 Governing SOPs:VRX-SOP-801VRX-SOP-206
EU Annex 11 §7.2 (backup) · §16 (continuity)ALCOA+ (enduring, available)ISO 27001 A.5.29·A.5.30 / SOC 2 A1
DR-2
DR Plan, Failover & Continuity Exercises
A documented, rehearsed plan for regional failure or major outage
BCP/DR · SRE
Key activities
DR plan — failover architecture, multi-region/AZ strategy, runbooks, roles, communication tree, regulated-record availability priority.
Continuity exercises — periodic failover/DR drills with evidence; lessons-learned feed CAPA; customer SLA alignment.
Tenant-level recovery — confirm a single customer/tenant can be recovered without cross-tenant exposure.
RACI
ActivityRACI
DR plan & exercisesRSRE / BCP-DRAHead of QASecurity, Eng LeadCustomer Success
Evidence
DR plan + runbooksFailover architecture
DR exercise recordsLessons → CAPA
📋 Governing SOPs:VRX-SOP-802
EU Annex 11 §16 (business continuity)ISO 22301 / ISO 27001 A.5.29·A.5.30ICH Q10 — continual suitability

Deep-Dive Sub-Flow — Quality Events: Incident / Deviation / RCA / CAPA / Complaint

The operational quality loop that runs continuously once the system is live — turning any failure (bug, outage, audit finding, customer complaint) into a controlled, evidenced corrective & preventive action.
Plugs into: Phase 5 (test defects → deviations) · Phase 9–10 (production incidents, complaints, change) and feeds QMS Management Review. Owner: QA / Quality Lead.
↑ Main-flow phases:Phase 5Phase 9Phase 10
QE-1
Capture, Triage & Risk-Assess (Incident/Deviation/Complaint)
Log it, classify severity & GxP impact, contain it
QA · Quality Lead
Key activities
Intake — production incident, validation deviation, SaaS quality incident, audit/inspection finding, or customer complaint captured with attribution, timestamp, and source linkage.
Classification — severity, GxP impact, data-integrity impact, patient/product-quality impact, customer impact; immediate containment/correction.
Escalation — critical events escalate to Head of QA; regulatory-reportable events flagged to Reg Affairs.
RACI
ActivityRACI
Capture, triage, containmentRQAAHead of QAEng, Security, DI SMEReg Affairs, Customer Success
Evidence
Deviation/incident/complaint recordSeverity, GxP impact
Containment/correction recordImmediate action
📋 Governing SOPs:VRX-SOP-901VRX-SOP-904VRX-SOP-905
EU Annex 11 §13 (incident mgmt)ICH Q10 §3.2.121 CFR 211.192 / 820.198 (complaints)
QE-2
Root Cause Analysis & CAPA (corrective + preventive)
Fix this, and stop recurrence — with up-front effectiveness criteria
QA · Process Owner
Key activities
Root cause analysis — structured RCA (e.g. 5-Why / Ishikawa); distinguish correction from corrective from preventive action.
CAPA plan — action items with owners + target dates; measurable, time-bound effectiveness criteria defined up front; segregation of duties (creator ≠ assignee ≠ verifier).
Implementation — each action executed & evidenced (ALCOA+); document/training/process changes linked; overdue escalation.
RACI
ActivityRACI
RCA & CAPA planRProcess Owner / QAAHead of QAEng, DI SME, AI GovReg Affairs
Evidence
RCA reportCorrective vs preventive
CAPA record + action evidenceUp-front criteria
📋 Governing SOPs:VRX-SOP-902VRX-SOP-903
ICH Q10 §3.2.221 CFR 211.192 · 820.100ALCOA+ action evidence
QE-3
Effectiveness Check & Closure (e-signed)
Prove the CAPA worked before closing — ineffective never reaches closed
Independent Verifier · Head of QA
Key activities
Effectiveness check — objective verification against the up-front criteria; e-signed determination (not just final close); verifier ≠ creator/assignee.
Outcome routing — Effective → closure gate; Partially effective → residual-action plan (cannot close); Ineffective → mandatory rework or linked new CAPA.
Closure — all action items complete + effective; closure authority + e-signature; critical CAPA → executive co-sign; record immutable; feeds trending/APQR & Management Review.
RACI
ActivityRACI
Effectiveness & closureRIndependent VerifierAHead of QAProcess OwnerReg Affairs
Evidence
Effectiveness determination (e-signed)Vs criteria
CAPA closure recordImmutable, trended
📋 Governing SOPs:VRX-SOP-903
ICH Q10 §3.2.221 CFR 820.100(a)(4)21 CFR 11.100/11.200 · EU Annex 11 §14

Deep-Dive Sub-Flow — Internal Audit, QMS Management Review & Inspection Readiness

The governance loop that proves the QMS itself works: self-inspection finds gaps, management review steers, and inspection-readiness keeps the evidence binder current for FDA/EMA/customer audits.
Plugs into: all phases (continuous oversight) and Phase 10 (validated-state maintenance). Owners: Internal Audit · Head of QA · Audit & Inspection Readiness.
↑ Main-flow phases:Phase 0Phase 5Phase 9Phase 10 + continuous oversight
GOV-1
Internal Audit / Self-Inspection
Risk-based, independent audits of the QMS and the system
Internal Audit (independent)
Key activities
Audit programme — risk-based schedule, scope, auditor independence, checklists, sampling strategy.
Execution — interviews, evidence review, finding classification (critical/major/minor), objective evidence captured.
Finding closure — CAPA linkage, effectiveness check, repeat-finding review; feeds Management Review.
RACI
ActivityRACI
Internal auditRInternal AuditorAHead of QAProcess ownersReg Affairs
Evidence
Audit programme + reportsFindings classified
Finding CAPA + closureRepeat-finding review
📋 Governing SOPs:VRX-SOP-908
ICH Q10 §3.2.3 (internal audit)21 CFR 211.22 / 820.22 · EU GMP Ch.9
GOV-2
QMS Management Review & Quality Risk Management
Executive oversight of metrics, risks, and continual improvement
Head of QA · Executive
Key activities
Management review — quality metrics/KPIs/KRIs, deviation/CAPA/complaint trends, audit findings, change & release performance, AI drift, security posture, supplier performance, validation state — reviewed on cadence.
Quality risk management — maintain the quality risk register; risk-based decisions; escalation; quality objectives tracking (ICH Q9(R1)).
Continual improvement — documented decisions & actions, resourcing, and steering of the QMS (ICH Q10).
RACI
ActivityRACI
Management review & QRMRHead of QAAExecutive / FounderFunction leadsAll staff
Evidence
Management review minutes + actionsMetrics-driven
Quality risk registerLive, risk-rated
📋 Governing SOPs:VRX-SOP-909VRX-SOP-007
ICH Q10 §4 (management review) · ICH Q9(R1)EU Annex 11 §1 (risk mgmt)EU GMP Ch.1 (PQS)
GOV-3
Audit & Inspection Readiness
Keep the evidence binder inspection-ready for FDA/EMA/notified-body and customer audits
Audit & Inspection Readiness
Key activities
Evidence index — single traceable index across URS, RA, design, RTM, IQ/OQ/PQ, VSR, validation pack, change records, periodic reviews, DI/AI/security/supplier evidence, deviation/CAPA.
Inspection war-room — roles, SME map, front-room/back-room process, request-response structure, finding-response & CAPA linkage.
Customer/supplier audit response — qualification pack, shared-responsibility narrative, mock-audit gap closure.
RACI
ActivityRACI
Inspection readinessRAudit & Inspection ReadinessAHead of QAAll function leads, Reg AffairsExecutive
Evidence
Inspection evidence index/binderCross-referenced
Inspection runbook + mock-audit recordsGaps closed
📋 Governing SOPs:VRX-SOP-910
GAMP 5 — inspection readiness21 CFR 11 / EU Annex 11 (evidence availability)FDA inspection / EU GMP / PIC/S

Deep-Dive Sub-Flow — Platform Engineering & Operations

The cross-cutting platform & infrastructure GxP controls every release must address — identity, configuration, data lifecycle, integration, operations and data capture.
Plugs into: Phase 3 (design) · Phase 4 (build) · Phase 6 (release/cloud) · Phase 10 (change). Owner: Platform Engineering · SRE; adequacy by Security / Data Integrity / Architect.
↑ Main-flow phases:Phase 3Phase 4Phase 6Phase 10
PE-1
Enterprise Auth & Tenant / Org Administration
Authentication, MFA, SSO/SCIM, session policy — and tenant/org/user administration
Platform Eng · Security
Key activities
Authentication & MFA — password policy, MFA, lockout behavior, IP allowlist, session policy, token lifecycle.
SSO / SCIM provisioning — federated identity and automated provisioning / deprovisioning under control.
Tenant / organization administration — tenant & org hierarchy, user/membership, role assignment, tenant lifecycle, tenant-scoped admin behavior.
Auth evidence — authentication, session and admin events logged to the audit trail.
RACI
ActivityRACI
Enterprise auth & tenant adminRPlatform EngASecurity LeadDI SME, Access Review OwnerHead of QA
Evidence
Auth / MFA / session policyConfig baseline
Tenant & role admin recordsTenant-scoped
Auth event logsAudit-trailed
📋 Governing SOPs:VRX-SOP-404VRX-SOP-605VRX-SOP-601VRX-SOP-309
21 CFR 11.10(d)(g)EU Annex 11 §12ISO 27001 A.5.15–A.5.18 / SOC 2 CC6
PE-2
Master & Reference Data + Configuration Baselines
Controlled master/reference data and tenant/environment configuration baselines
Config Owner · Product
Key activities
Master / reference data — cross-module master data, reference data, code lists, classifications (site / product / supplier / process) under controlled change.
Configuration baselines — tenant, module and environment configuration captured as controlled baselines; customer configuration boundaries defined.
Change linkage — every master-data or configuration change links to change control with impact assessment.
Evidence — configuration records, baseline snapshots and change linkage retained.
RACI
ActivityRACI
Master data & configurationRConfig OwnerAHead of QAArchitect, DI SMERelease Mgr
Evidence
Master / reference data registerControlled change
Configuration baselinePer tenant / env
Change linkageImpact-assessed
📋 Governing SOPs:VRX-SOP-309VRX-SOP-302
EU Annex 11 §4.4·§10ALCOA+ (consistent, accurate)GAMP 5 — configuration
PE-3
Workflow Builder & Configurable Workflow Templates
Configured eQMS workflows are versioned, controlled and validated
Product · Config Owner
Key activities
Workflow templates & versions — template, version, state transitions, guard conditions and routing rules under configuration control.
Workflow instances — runtime instances traceable to their template version.
Validation of configured workflows — configured GxP workflows validated as Cat-4/5 configuration; changes re-validated to risk.
Change control — workflow configuration changes routed through change control.
RACI
ActivityRACI
Workflow builder / templatesRConfig Owner / ProductAHead of QACSV/CSA, Test ArchitectEng
Evidence
Workflow template + version recordsState / routing defined
Configured-workflow validationRisk-based
Workflow change recordsControlled
📋 Governing SOPs:VRX-SOP-309VRX-SOP-302VRX-SOP-201
GAMP 5 — configured workflowEU Annex 11 §4ALCOA+ (workflow state integrity)
PE-4
Data Lifecycle: Retention, Archive, Erasure & DB Schema Evolution
Retention/archive/purge/erasure/quota and controlled database schema migration
DI SME · DBA / Platform Eng
Key activities
Retention / archive / purge / erasure / quota — lifecycle actions and retention jobs governed; erasure honors regulatory retention before deletion.
Database schema evolution — application DB migration, schema versioning, migration-script control, rollback evidence, deployment linkage.
Regulated-record protection — no purge/erasure of records within their retention period; erasure evidence retained.
Change & validation linkage — schema/retention changes under change control with migration test evidence.
RACI
ActivityRACI
Data lifecycle & schema evolutionRDBA / Platform EngAData Integrity SMECSV/CSA, Release Mgr, Legal (erasure)Head of QA
Evidence
Retention / erasure policy + jobsRetention honored
Schema migration scripts + rollbackTest-evidenced
Deployment linkageChange-controlled
📋 Governing SOPs:VRX-SOP-405VRX-SOP-308VRX-SOP-104VRX-SOP-406
21 CFR 11.10(c) · EU Annex 11 §7·§17ALCOA+ (enduring, available)GDPR erasure vs retention
PE-5
Integration Platform: Connectors / SOR / DLQ / Webhooks & Real-time Messaging
External connectors, system-of-record matrix, dead-letter queue, webhooks and real-time delivery
Integration Eng · Platform Eng
Key activities
Connector registry & SOR — external connector registry, sync jobs, and a system-of-record matrix defining the authoritative source per data class.
Dead-letter queue & conflict handling — failed-message DLQ, conflict resolution rules, reprocessing control.
Webhook & event routing — webhook event routing governed; payloads validated (links to Migration M9 API validation).
Real-time messaging — WebSocket behavior, offline queue, event replay, disconnect handling, message-delivery evidence.
RACI
ActivityRACI
Integration platformRIntegration EngASecurity / DI SMEArchitect, Supplier Quality, Test ArchitectHead of QA
Evidence
Connector registry + SOR matrixAuthoritative source
DLQ + reprocessing evidenceConflict rules
Message-delivery evidenceReplay / offline
API payload validation → Migration & Integration (M9); payload security / tenant exposure → Security; supplier/middleware → Supplier Quality.
📋 Governing SOPs:VRX-SOP-407VRX-SOP-309
EU Annex 11 §5 · 21 CFR 11.10(d)ALCOA+ (complete, consistent)ISO 27001 — integration
PE-6
Platform Operations: Observability, Runbooks, Jobs/Health & Notifications
Runbooks, observability, scheduled jobs & health, and notification/escalation governance
SRE · Platform Ops
Key activities
Observability & runbooks — operational runbooks, metrics, logs, alerts and dashboards with incident linkage.
Scheduled jobs & health — liveness/readiness/startup checks, scheduled-job logs, operational metrics, infrastructure status evidence.
Notifications & escalation — notification preferences, channels, templates, digests, email queue, escalation & SLA-notification behavior.
Operations evidence — operations evidence packs linked to incidents/deviations where GxP-impacting.
RACI
ActivityRACI
Platform operations & observabilityRSRE / Platform OpsAHead of QASecurity, Eng LeadCustomer Success
Evidence
Runbooks + observability evidenceMetrics / alerts
Scheduled-job & health logsInfra status
Notification / escalation configSLA behavior
📋 Governing SOPs:VRX-SOP-911VRX-SOP-905VRX-SOP-301
EU Annex 11 §16 · §1ISO 27001 — operations / monitoringICH Q10 — continual suitability
PE-7
Data Capture, Localization & Test-Data Governance
Screen-reader/OCR/email ingestion, regulated-wording translation control, and seed/test-data governance
Platform Eng · QA
Key activities
Data capture — screen-reader capture, OCR jobs, extraction templates, email-ingestion rules, inbound queues, and extracted-data review linkage.
Localization / i18n — locale records, translation keys/values, and version control of regulated wording; user locale preferences.
Seed & test data — seed data, test tenants/users, permission seed, demo records, dataset lineage and reset scripts; test data segregated from production.
Evidence — extraction review, translation version control and seeded-data lineage retained.
RACI
ActivityRACI
Data capture, i18n & test dataRPlatform Eng / QAAHead of QADI SME, Test ArchitectReg Affairs
Evidence
OCR / ingestion + review recordsExtraction reviewed
Translation version controlRegulated wording
Test-data lineageProd-segregated
📋 Governing SOPs:VRX-SOP-207VRX-SOP-309VRX-SOP-002
EU Annex 11 §5 (accuracy checks)ALCOA+ (accurate, legible)GDocP — controlled wording

Deep-Dive Sub-Flow — Validation Automation & Statistical Quality

Where Verixa validates itself and governs statistical quality logic — automated validation evidence and SPC / scoring validation.
Plugs into: Phase 5 (test) · Phase 7 (validation) · Phase 10 (change). Owner: Validation Lead · Data/Quality; adequacy by Head of QA / CSV-CSA.
↑ Main-flow phases:Phase 5Phase 7Phase 10
VA-1
Self-Validation / Validation Automation
Change detection → automated validation runs → evidence capture → package generation → QA handoff
Validation Lead · Platform Eng
Key activities
Change detection — the self-validation module detects change and triggers a validation run; trigger scope is controlled.
Automated validation runs — validation run records with automated test execution; screenshot / evidence capture as ALCOA+ evidence.
Automated package generation — validation package assembled automatically (protocols, results, traceability) for human QA review.
QA handoff — automated output is advisory until reviewed; Head of QA dispositions; the tool does not self-approve validation.
RACI
ActivityRACI
Self-validation / validation automationRValidation Lead / Platform EngAHead of QACSV/CSA, Test ArchitectEng
Evidence
Validation run recordsChange-triggered
Captured evidence + screenshotsALCOA+
Auto-generated validation packageQA-reviewed
The automation generates evidence; it never self-approves. Validation strategy → CSV/CSA Expert; final disposition → Head of QA.
📋 Governing SOPs:VRX-SOP-202VRX-SOP-203VRX-SOP-005
GAMP 5 · FDA CSA — automated assurance21 CFR 11.10(a) — validationALCOA+ test evidence
VA-2
SPC / Statistical Rules & Scoring Validation
Quality scoring formulas, SPC rules, thresholds and score history validated as computations
Data / Quality · CSV/CSA
Key activities
Scoring formulas — quality scoring formulas and weightings are specified, version-controlled and validated as calculations.
SPC rules & thresholds — control-chart rules, thresholds and trend rules defined and tested against known data.
Score history & traceability — score history retained; each score traceable to source data and the formula/version used.
Statistical evidence — validation scenario inputs for scoring/SPC behavior (detailed protocols → Test Architect).
RACI
ActivityRACI
SPC / scoring validationRData / QualityAHead of QACSV/CSA, Test ArchitectProduct
Evidence
Scoring formula spec + versionValidated calc
SPC rule test evidenceKnown-data
Score historySource-traceable
📋 Governing SOPs:VRX-SOP-408VRX-SOP-201
ICH Q9(R1) · GAMP 5EU Annex 11 §5 (accuracy checks)ALCOA+ (accurate, traceable)

Coverage map — where every engineering & regulatory concern lives

The main spine (Phases 0–10) is sequential. The 7 sub-flows are cross-cutting tracks — AI, data integrity, security, supplier, continuity, quality events and governance recur across many phases, so they run as parallel tracks rather than single steps. That is why they sit alongside the spine, not inside one phase. Everything is wired together below — click any row to jump.
How to read this flow. Phases 0–7 are Verixa's internal build-and-validate lifecycle (vendor side). Phases 8–9 are the customer rollout (where Verixa enables but the customer's QA owns their validation approval). Phase 10 is the loop that keeps every later change re-entering the lifecycle at the right depth. Decision Gate A and the per-phase exit gates are hard stops — a failed gate routes work backward, never forward.
Main lifecycle (Phases 0–10) plus 10 deep-dive sub-flows so nothing is missed: (1) Data Migration & Integration (M1–M10), (2) AI Validation & Governance incl. RAG source governance + agentic registry/panel/DRT (AI-1–5), (3) Data Integrity / Part 11 / Annex 11 (DI-1–3), (4) Security & Privacy incl. access review (SEC-1–4), (5) Supplier & Cloud Qualification (SUP-1–2), (6) BCP/DR & Backup-Restore (DR-1–2), (7) Quality Events Incident/Deviation/RCA/CAPA/Complaint (QE-1–3) and Governance — Internal Audit / Management Review / Inspection Readiness (GOV-1–3); (9) Platform Engineering & Operations (PE-1–7); (10) Validation Automation & Statistical Quality (VA-1–2).
Verixa skills invoked to build this: CSV/CSA Assurance Expert · Release & Change Control Manager · Customer Implementation & Validation Enablement Expert · GxP Data Migration & Integration Validation Expert. Skill chain: URS Expert → CSV/CSA Expert → Validation Test Architect → Head of QA (terminal release authority). Specialist sub-flows map to: AI Validation & Governance Expert, Data Integrity/Part 11/Annex 11 Expert, Security/Privacy Expert, Supplier Quality Expert, BCP/DR Expert, GxP Incident/Deviation/CAPA/Complaint Expert, Internal Audit/Self-Inspection Expert, QMS Management Review/Quality Risk Expert, Audit & Inspection Readiness Expert. Regulatory baseline per the Verixa repository CLAUDE.md (GAMP 5 Cat 5; 21 CFR Part 11 & 211; EU Annex 11; EU Annex 22 Draft 2025; EU AI Act 2024/1689; FDA CSA Sep 2025; ICH Q9(R1)/Q10/E6(R3); ISO 27001/22301/SOC 2; GDPR; MHRA DI; GMLP; WHO TRS 996 Annex 5).
Scope & limitations. This is a process workflow template, not a validation approval or a compliance certification. Regulatory clause references are pointers to public guidance and must be confirmed per module, jurisdiction, and market. EU Annex 22 is draft/consultation; treat as forward-looking until adopted. "Validated" applies only to a specific scope + version + intended use with approved human evidence — never asserted by this document. Per Verixa governance, only authorised QA/validation humans approve validation; AI produces the assurance pack, humans approve it.