← Resources

GxP Readiness Checklist

23-point check: is your chemistry MCP stack audit-ready for EU Annex 11, 21 CFR Part 11, and GAMP 5 Cat 4? Use this checklist before any regulatory workflow.

A. Audit Trail

• ☐1. Every tool call is logged with user, timestamp (UTC), tool version, model version, input hash, and output hash.
• ☐2. Audit trail is tamper-evident (e.g., hash chaining or cryptographic signature).
• ☐3. Audit trail retainable for at least 7 years (regulatory minimum).
• ☐4. Audit trail exportable in machine-readable format (JSON, CSV).
• ☐5. Authenticated user is uniquely attributable (no shared service account for regulated calls).

B. Determinism

• ☐6. All tool outputs are deterministic: same input → same output.
• ☐7. Tool versions are explicitly pinned (not latest, not floating).
• ☐8. Model versions (for QSAR, predictive models) are explicitly pinned.
• ☐9. Re-run of the same call months later produces byte-identical output.
• ☐10. Floating-point determinism across compute hosts (no hardware-dependent numerical drift).

C. Access Control

• ☐11. Authentication via secure identity provider setup (OIDC, SAML, or strictly managed API keys).
• ☐12. Role-based permissions (reader, writer, admin, at minimum).
• ☐13. Access logs separate from audit trail but synchronously consistent.
• ☐14. Multi-factor authentication available for admin accounts.

D. Validation Documentation

• ☐15. URS (User Requirements Specification) documented.
• ☐16. FS (Functional Specification) documented.
• ☐17. Configuration is documented (software categorization GAMP 5 Cat 4 or Cat 5).
• ☐18. Risk assessment conducted (FMEA or equivalent).
• ☐19. IQ (Installation Qualification) protocol in place.
• ☐20. OQ (Operational Qualification) protocol in place.
• ☐21. PQ (Performance Qualification) protocol in place.
• ☐22. User acceptance testing documented.
• ☐23. Change control process for tool updates defined.