ComplianceGxP

ComplianceGxP is a regulatory compliance "Superpower" for healthcare AI agents. When your agent needs to verify whether a workflow, data-handling practice, or system change is compliant.

Comment

Inspiration

In pharma, biotech, and MedTech, "Regulatory Compliance" is the #1 bottleneck for AI adoption. While many healthcare agents focus on clinical data (FHIR), they often lack the "regulatory brain" needed to ensure their workflows comply with strict global standards like GxP, Annex 11, or Part 11. We built ComplianceGxP to be the specialized tool that makes other agents compliant by default. Our goal: "Instant compliance expertise for every agent on the platform."

What it does

ComplianceGxP is an MCP-based "Superpower" that provides expert regulatory analysis to any healthcare agent. It features 7 specialized query modes:

  • qa: General GxP/pharma compliance Q&A (ICH Q7, EU GMP).
  • mdr: EU Medical Device Regulation (2017/745).
  • hipaa: HIPAA Privacy & Security Rules.
  • part11: Electronic Records & Signatures (FDA 21 CFR Part 11 / EU Annex 11).
  • csv / deviation / capa: Structured workflows for Computer System Validation and quality management.

It retrieves from a curated 3,300+ chunk knowledge base of primary regulatory texts and provides citation-backed answers. It is SHARP-compliant and "FHIR-agnostic"—it composes with clinical agents without requiring patient data, sidestepping PHI plumbing while ensuring the workflow stays within the rails.

How we built it

  • Architecture: Python (FastAPI) backend deployed on Fly.io using SSE transport.
  • RAG Engine: FAISS vector store utilizing local sentence-transformers embeddings (ensuring regulatory data is indexed privately without external API exposure).
  • LLM Reasoning: Anthropic Claude 3.5 Sonnet for high-precision regulatory analysis.
  • Protocol: Fully SHARP-on-MCP compliant. We specifically implemented the fhir_context_required: false capability to prove that compliance tools can (and should) be decoupled from clinical data sources for maximum composability.
  • Validation & Integrity: Built under GAMP 5 Category 4 software standards with a chained SHA-256 audit trail for 21 CFR Part 11 integrity.

Challenges we ran into

The primary challenge was "Model Alignment for Regulation." Standard LLMs can be overly helpful or generic; we had to use strict RAG retrieval and behavioral contracts (via AgentContract) to ensure the agent only speaks from the sourced regulatory corpus. We also had to navigate the "Missing Await" traps in the latest Google GenAI SDKs during the integration of Gemini as an alternative orchestrator.

Accomplishments that we're proud of

  • Achieving a "Zero-PHI" compliance architecture that still provides 100% accurate regulatory guidance.
  • Indexing the entire EU MDR and FDA 21 CFR Part 11 libraries with sub-second retrieval performance.
  • Seeing our "Superpower" correctly identify Notified Body involvement requirements for reclassified software-as-a-medical-device (SaMD) in real-time on the Prompt Opinion platform.

What we learned

We learned that MCP is the perfect vehicle for "Service-Oriented Compliance." In healthcare, the "Endgame" isn't one giant agent that knows everything—it's a swarm of specialized agents. ComplianceGxP proves that a regulatory "specialist" can be easily integrated into any workflow to provide the trust layer that clinical agents currently lack.

What's next for ComplianceGxP

  • EU AI Act Integration: Adding support for the high-risk AI classification and reporting requirements.
  • Direct EQMS Integration: Building connectors for Veeva Vault and TrackWise to automate the drafting of CAPAs and Validation Protocols.
  • Private Pilot Expansion: Scaling our GAMP 5 validated package for DACH-region pharmaceutical manufacturers.

Demo API Key (qa-only): cgxp-2rdFvHQ0XjOs5ouzX923vrFt8P9dvKxcGlV_YJe1Mr4

Built With

  • anthropic-claude
  • docker
  • faiss
  • fastapi
  • fly.io
  • google-gemini
  • mcp-(model-context-protocol)
  • python
  • sharp
Share this project:

Updates