Sub-verticals
Three calling-side shapes; one shared platform.
Clinical trial operations (clinical trial)
Subject screening, eligibility confirmation, consent drafting and renewal, adverse-event triage, protocol-deviation flagging, and patient-communication drafting. The consent.renewed, adverse_event.flagged, protocol_deviation.flagged, eligibility.confirmed, and patient.communication_sent action classes are gated behind a clinician or trial-coordinator in the loop.
Pharmacovigilance (PV)
Adverse-event detection from intake channels, triage and seriousness classification, MedDRA coding, Yellow Card / EudraVigilance / FAERS filing support, signal detection from longitudinal case data, and periodic safety update report drafting. The adverse_event.reported, yellow_card.filed, signal.detected, psur.drafted, and meddra.coded action classes are gated behind the qualified person for pharmacovigilance (QPPV).
Regulatory submission (regulatory affairs)
eCTD module drafting (Modules 1 through 5), CMC section drafting under the ICH Q-series, clinical study report drafting under ICH E3, and response-to-question drafting for regulator queries. The ectd.submitted, csr.signed_off, cmc.signed_off, response_to_question.submitted, and protocol_amendment.submitted action classes are gated behind a regulatory-affairs lead sign-off.
Regulators covered
Which frameworks the life-sciences pack maps to.
The per-sub-vertical pages below carry the full coverage table. The headline mapping: FDA 21 CFR Part 11, ICH E6(R2) Good Clinical Practice, the EMA Reflection Paper on AI in the Medicinal Product Lifecycle, EU GMP Annex 11 where the workflow is GMP-relevant, MHRA Software and AI as a Medical Device guidance, the MHRA Yellow Card scheme, and HIPAA where US trials are in scope.
- FDA 21 CFR Part 11
vortalis_proxy/compliance/fda_21_cfr_part_11.py
tests/conformance/regulators/fda_21_cfr_part_11/ - EMA
vortalis_proxy/compliance/ema.py
tests/conformance/regulators/ema/ - ICH E6(R2) GCP
vortalis_proxy/compliance/ema.py (build_ema_sections)
tests/conformance/regulators/ich_e6_r2/ - MHRA
vortalis_proxy/compliance/mhra.py
tests/conformance/regulators/mhra/ - MHRA SaMD (AI/ML)
vortalis_proxy/compliance/mhra_samd.py - HIPAA
vortalis_proxy/compliance/frameworks.py (build_hipaa_sections)
tests/conformance/regulators/hipaa/
Honest limits
What this sector pack does not do.
Vortalis does not perform clinical decision-making, file Yellow Cards, or submit dossiers to regulators; it governs AI-agent decisions about those tasks and produces the audit evidence the operator uses.
The policy templates gate the actions an AI agent may take. The actual filing of a Yellow Card with the MHRA, the actual EudraVigilance gateway upload, the actual eCTD-portal submission all happen in the operator's existing infrastructure. The audit chain records the agent's decision and the upstream outcome; it does not file with the regulator on the operator's behalf.
Counterparty certification with regulator portals (FDA, EMA, MHRA), eCTD publishers, and clinical-trial-management systems is the operator's responsibility.
Vortalis ships sector adapters as code where they exist; production certification with each regulator portal, publishing tool, and CTMS / safety-database integration sits with the operator. The Vortalis adapters provide a starting shape; conformance against the regulator's submission acceptance programme (for example FDA ESG, EMA CESP, MHRA portal) is the operator's track.
The PCCP and Algorithm Change Protocol pathways depend on operator-side change-management processes that Vortalis can record but not enforce on its own.
The MHRA's Pre-Determined Change Control Plan and Algorithm Change Protocol expectations for adaptive AI SaMD are concept-stage as at 2026. The Vortalis platform records the operator's PCCP-equivalent declaration and the policy versioning that produced each governed decision; the substantive content of the PCCP (the planned adaptations, the validation envelope, the rollback criteria) lives in the operator's change-management process.
Validated state under 21 CFR Part 11 is an operator-level conclusion that requires operator validation evidence on top of the Vortalis runtime controls; the runtime controls are necessary but not sufficient.
Part 11 compliance is achieved by the operator's validated deployment of a system that includes Vortalis. The platform supplies the cryptographic audit chain, ES256 signing, RBAC, encryption at rest, and the signature / record linking property that Part 11 requires. The operator's IQ, OQ, PQ, validation summary report, SOPs on signature meaning, training records, and physical-security posture sit alongside the platform; both are necessary for the operator to assert Part 11 compliance against the predicate rule.
The general-purpose honest limits sit at /security/limitations; this list is specific to the life-sciences pack.
Bring Vortalis to your life-sciences agents.
Pick the sub-vertical above. Read the integration brief if you would rather start with the engineering detail. Talk to us first if you would rather start with a conversation about your threat model.