01 Executive Summary
What Aurelyn Trial | OS™ Solves
The clinical trial industry has long operated with a fundamental structural failure: documentation, data, and compliance artifacts live in disconnected silos. Oversight is retrospective, errors compound silently, and teams spend months reconstructing truth for inspections and regulatory submissions. Aurelyn Trial | OS™ ends this.
Real-Time
Data Ingestion & Compliance Monitoring
0
Writes to Source Systems — Non-Destructive by Design
1
Unified Source of Truth Across All Connected Systems
∞
Audit Trail Depth — Every Action Timestamped
Aurelyn Trial | OS™ is a protocol-native, AI-powered operating layer that sits above the existing landscape of clinical trial technology — EDC, eTMF, CTMS, IVRS/IWRS, Safety Systems — and unifies them into a single, coherent compliance intelligence engine. It does not replace these systems. It governs them.
The product is anchored by a fundamental insight from the clinical operations domain: the Protocol is the Law of the trial. Every downstream activity, every data point, every site communication, every document — all of it is a direct expression of the protocol's requirements. By treating the protocol as executable logic and anchoring the engine to pre-loaded global regulatory standards (ICH GCP, CFR, CDISC, eTMF Reference Model), the system moves from reactive auditing to proactive governance.
The result is a trial team that doesn't discover compliance gaps during a sponsor audit or an FDA inspection — they resolve them in real time, at the point of entry, with the specific regulatory citation and remediation pathway already provided.
Core Value Proposition: Aurelyn Trial | OS™ transforms clinical compliance from a months-long retrospective reconstruction into a continuous, automated, real-time governance function — dramatically compressing time-to-CSR, reducing deviation risk, and ensuring inspection-ready data at every point in the trial lifecycle.
02 Product Vision
From Static Database to Operational Intelligence
Aurelyn Trial | OS™ is built on a foundational paradigm shift: the clinical trial ecosystem must evolve from recording what happened to governing how it happens.
Status Quo
The Broken Model
- Siloed systems with no cross-validation
- Compliance reviewed retrospectively at close-out
- eTMF is a static repository — documents stored, not monitored
- Protocol amendments create "version drift" at sites
- CSR compilation requires months of manual data reconciliation
- Deviations discovered late, remediation is reactive
- Inspection readiness is a periodic, intensive effort
Aurelyn Trial | OS™
The Operational Model
- All systems unified into one compliance truth layer
- Compliance enforced continuously, in real time
- eTMF is operational — documents monitored, flagged, enforced
- Amendments trigger automated downstream propagation workflows
- CSR data is pre-structured and audit-ready throughout the trial
- Deviations surfaced at entry, remediation is prescriptive
- Inspection readiness is a persistent state — not an event
"You are not just building a tool. You are building a closed-loop integrity engine for a high-stakes environment where the cost of entropy is literal human risk."
— Aurelyn Trial | OS™ Design Principles, 202603 Core Philosophy
The Trinity of Clinical Truth
Aurelyn Trial | OS™ intelligence is derived from three immutable sources that together constitute the single, unified source of truth for any active trial.
⚖️
The Law
Pre-Loaded · Immutable · Versioned
Global regulatory standards, ICH GCP guidelines, 21 CFR, EMA/PMDA requirements, and CDISC/eTMF reference models. Shipped with the system. Never modified by users. Updated only through controlled versioning.
📋
The Blueprint
Trial-Specific · Living Document · Protocol-Driven
The study protocol — the unique, authoritative specification for every activity, visit, endpoint, and requirement for a specific trial. Loaded at study start, human-validated, and updated via controlled amendment workflow.
📡
The Evidence
Real-Time · API-Driven · Multi-System
Continuous, real-time data ingestion from all connected source systems — EDC, eTMF, CTMS, Safety Systems — normalized to CDISC and eTMF Reference Model standards via purpose-built API connectors.
Non-Destructive Observer Architecture: Aurelyn Trial | OS™ is a strictly read-only system. It ingests data from source systems but never pushes data back. This preserves source system integrity, eliminates validation complexity, and ensures the compliance layer operates independently of regulated data repositories. The engine observes, validates, flags, and notifies — humans resolve at the source.
Human-in-the-Loop Mandate: All system outputs require human review and validation. The engine is an intelligent co-pilot — not an autonomous pilot. Protocol-derived rules are signed off by a human expert before going live. Remediation actions are reviewed by clinical leads. This is a design principle, not a limitation.
04 System Architecture
The Aurelyn Clinical Engines™ Stack
A four-layer architectural model that transforms raw, multi-source clinical data into actionable compliance intelligence.
Layer 1 · Source Systems (External — Not Owned by Aurelyn)
EDC / eCRF
eTMF Platform
CTMS
Safety / SAE System
IVRS / IWRS
Central Lab
Regulatory Platform
Site Document Portals
↓ ↓ ↓ API Connectors (Read-Only) ↓ ↓ ↓
Layer 2 · Standardized Ingestion & Normalization (Canonical Data Model)
Schema Validation
CDISC Normalization
eTMF Ref Model Mapping
Temporal Reconciliation
Drift Detection
Semantic Normalization
Audit Logging
↓ ↓ ↓ Validated Data Stream ↓ ↓ ↓
Layer 3 · Clinical Evidence & Consistency Engine (Core Intelligence)
Protocol Logic Engine
Regulatory Compliance Validator
Deviation Classifier
Temporal Enforcement
Amendment Propagation
eTMF Completeness Monitor
SAE Reporting Watchdog
Severity Ranker
↓ ↓ ↓ Actionable Intelligence ↓ ↓ ↓
Layer 4 · Output & Human Interface Layer
Compliance Dashboard
Action Queue
Automated Email Notifications
Severity-Weighted Alerts
Protocol Amendment Workflow
CSR Data Package
Regulatory Citation Engine
Audit Trail Export
Trial Instance Architecture: Each trial operates as a discrete, isolated instance of the OS. The Regulatory Knowledge Base (Layer 3 Law) is pre-packaged and shared across all instances. The Protocol Logic (unique per trial) is the only variable component loaded at study start and validated before activation. This "factory model" allows rapid trial onboarding without compromising the integrity of the shared regulatory bedrock.
05 Functional Pillars
Six Pillars of Clinical Governance
Aurelyn Trial | OS™ is organized around six interconnected functional domains, each addressing a critical failure point in the conventional clinical trial management paradigm.
I
Pillar One
Real-Time Data Ingestion & Normalization
Continuous, API-driven ingestion from all connected source systems, normalized against CDISC and eTMF Reference Model standards. Schema deviations are detected at the point of ingestion — before they propagate.
- System-specific API connectors with schema validation
- Real-time canonical data model normalization
- Temporal event reconciliation (occurrence vs. entry date)
- Schema drift alerts with immediate flagging
- Full ingestion audit log with timestamps
II
Pillar Two
Protocol Logic Engine & Rule Derivation
The protocol is parsed, structured, and transformed into an executable, deterministic rule set — the governing logic of the trial OS. All rules are human-validated and cryptographically signed before activation.
- Structured protocol parsing (ICH/FDA template-anchored)
- Visit schedule and time-events matrix extraction
- Activity compliance matrix generation
- Lax protocol requirement flagging against regulatory floor
- Human sign-off workflow with version control
III
Pillar Three
Clinical Evidence & Consistency Engine
The core intelligence layer. Compares real-time evidence against the protocol blueprint and regulatory law, classifying every discrepancy by type, severity, and the specific regulation or protocol section violated.
- Deterministic protocol-vs-evidence comparison engine
- SAE and critical reporting window enforcement
- Regulatory citation auto-mapping per deviation
- Prescriptive remediation suggestions from regulatory guidance
- Deviation categorization ingestion from CRA/Medical Monitor
IV
Pillar Four
Operational eTMF Intelligence
Transforms the eTMF from a static document repository into an active compliance participant. Document completeness, signature status, expiration, and version currency are monitored continuously.
- eTMF Reference Model completeness mapping
- Expired document detection with automatic alerts
- Missing signature tracking and escalation
- Document version currency enforcement across all sites
- ICF version drift detection at site level
V
Pillar Five
Amendment Propagation & Version Governance
Protocol amendments are treated as active system events, not document uploads. Every amendment triggers an automated downstream impact analysis, producing a structured list of required adjustments across all connected domains.
- Amendment loading and impact analysis workflow
- Automatic ICF update requirement generation
- IRB/Ethics Committee submission requirement triggers
- Site data collection adjustment notifications
- Protocol epoch versioning with full audit lineage
VI
Pillar Six
CSR / NDA Data Crystallization
Because the engine maintains a continuous, validated, timestamped compliance record throughout the trial, the clinical study report and NDA submission data are already pre-structured — replacing months of reconstruction with a crystallization of existing truth.
- Continuous deviation log with remediation status
- Pre-structured CSR deviation summary generation
- Full protocol-epoch-versioned data lineage
- Inspection-ready document package export
- Regulatory submission data quality validation
06 Data Standards Layer
Regulatory & Data Standard Framework
The system ships with a pre-loaded, versioned Regulatory Knowledge Base. This is the immutable bedrock — the standards against which all trial data is measured. Users cannot modify this layer.
| Standard / Framework | Body | Scope of Application | Classification |
|---|---|---|---|
| ICH E6(R3) — GCP | ICH | Overall trial conduct, investigator responsibilities, monitoring | REGULATORY_LAW |
| 21 CFR Part 312 | FDA | IND regulations, sponsor/investigator obligations | REGULATORY_LAW |
| 21 CFR Part 11 | FDA | Electronic records, electronic signatures, audit trails | REGULATORY_LAW |
| 21 CFR Part 50 | FDA | Informed consent standards | REGULATORY_LAW |
| 21 CFR Part 54 | FDA | Financial disclosure requirements | REGULATORY_LAW |
| EMA GCP Directive | EMA | EU clinical trial conduct standards | REGULATORY_LAW |
| PMDA Guidelines | PMDA | Japan-specific regulatory requirements | REGULATORY_LAW |
| ICH E3 — CSR Structure | ICH | Clinical Study Report format and content | GUIDANCE |
| ICH E9 — Statistical Principles | ICH | Statistical methodology standards | GUIDANCE |
| EU AI Act (Annex III) | EU | High-risk AI system governance for clinical applications | GOVERNANCE |
| CDISC CDASH | CDISC | Case report form data collection standards | DATA_STANDARD |
| CDISC SDTM | CDISC | Study data tabulation model for submission | DATA_STANDARD |
| CDISC ADaM | CDISC | Analysis data model standards | DATA_STANDARD |
| eTMF Reference Model v3.x | TMF Reference Model | Trial Master File completeness and structure | DATA_STANDARD |
| MedDRA | ICH | Adverse event coding terminology | TERMINOLOGY |
| SNOMED CT | IHTSDO | Clinical terminology normalization | TERMINOLOGY |
| HIPAA / GDPR | US/EU | Patient data privacy and security | PRIVACY_LAW |
07 System Connectors
API Connector Specifications
Each source system requires a purpose-built API connector. Connectors are read-only by design and include schema validation, semantic normalization, and continuous drift monitoring.
| System Category | Primary Function | Data Ingested | Standard Mapping | Criticality |
|---|---|---|---|---|
| Electronic Data Capture (EDC) | Subject data, visit records, CRF entries | Visit dates, activity completion, AE/SAE entries, lab values, protocol deviations | CDISC CDASH / SDTM | Critical |
| eTMF Platform | Trial Master File documents | Document status, version, signatures, expiration dates, completeness metrics | eTMF Ref Model v3 | Critical |
| CTMS | Study and site operational data | Site activation, monitoring visit logs, issue tracking, enrollment status | CDISC CDASH | Major |
| Safety / SAE System | Adverse and serious adverse event reporting | SAE narratives, MedDRA coding, regulatory reporting timelines, causality assessments | MedDRA / ICH E2A | Critical |
| IVRS / IWRS | Randomization and supply management | Subject randomization records, kit allocation, resupply triggers | CDISC SDTM | Major |
| Central Laboratory | Lab results and analysis | Lab panel results, reference ranges, critical value flags, sample receipt records | CDISC LAB / CDASH | Major |
| Regulatory Submission Platform | Regulatory correspondence and submissions | IRB/IEC submissions, approvals, IND safety reports, amendment submissions | eTMF Ref Model / 21 CFR | Major |
| Site Document Portal | Site-level document management | Investigator CVs, training records, delegation logs, site agreements | eTMF Ref Model | Moderate |
| Pharmacovigilance Database | Signal detection and SUSAR management | SUSAR narratives, regulatory notifications, safety update reports | ICH E2A / MedDRA | Critical |
Connector Architecture Requirements: Each connector must implement: (1) OAuth 2.0 or API key authentication; (2) real-time webhook or polling-based data retrieval; (3) schema validation against the canonical data model on every ingestion event; (4) schema drift detection that alerts on any structural change in incoming data; (5) full ingestion audit log with source system identifier, timestamp, and data hash.
08 Protocol Logic Engine
Protocol as Executable Logic
The Protocol Logic Engine is the mechanism by which a dense, highly-structured clinical document is transformed into the operating rules of the trial OS. This is the most critical setup function in the system.
01
Protocol Upload & Structural Parsing
The final approved protocol is uploaded. The engine parses the document using ICH/FDA template-anchored structure recognition, extracting discrete sections: study objectives, eligibility criteria, visit schedule, time-and-events table, endpoint definitions, stopping rules, adverse event reporting requirements, and deviation definitions. Because protocols follow regulatory templates, structural parsing is highly deterministic.
02
Regulatory Floor Validation
Every extracted protocol requirement is cross-referenced against the pre-loaded regulatory standards. Any protocol requirement that is less stringent than the applicable regulation is automatically flagged with the specific regulatory citation and a remediation recommendation. If an override is approved, a documented rationale is required before the system will activate.
03
Rule Derivation & Structuring
Extracted requirements are transformed into a structured, deterministic rule set. The time-and-events table becomes a temporal compliance matrix. Reporting windows (e.g., SAE 24-hour notification, 7/15-day expedited reporting) become temporal enforcement rules. Eligibility criteria become subject-level verification rules. Each rule is tagged with its source protocol section and applicable regulatory reference.
04
Human Expert Review & Sign-Off
The complete derived rule set is presented to a qualified human expert (e.g., Clinical Lead or Regulatory Affairs professional) for review. Each rule is presented alongside its source protocol text and regulatory basis. Sign-off is captured electronically with a 21 CFR Part 11-compliant e-signature. No rules are activated prior to this approval.
05
Trial Instance Activation
Upon sign-off, the trial instance is activated. The Protocol Logic Engine begins real-time validation of incoming data against the signed rule set. The activation event is logged with the approver's identity, timestamp, and a cryptographic hash of the rule set. This creates the opening entry in the trial's audit trail.
09 Operational eTMF
The eTMF as a Living Compliance System
Aurelyn Trial | OS™ fundamentally redefines the eTMF's role — from a passive document archive to an active, real-time compliance participant.
Completeness Monitoring
The eTMF Reference Model defines every expected document artifact for a clinical trial. The OS maps all expected artifacts against what is present in the eTMF, surfacing gaps by zone, section, and site. Missing documents are flagged with the specific eTMF zone reference and the applicable GCP requirement.
Signature Tracking
All documents requiring investigator, sponsor, or CRO signatures are tracked continuously. Documents with missing, pending, or expired signatures generate immediate action items with the responsible party identified and a regulatory citation for the signature requirement.
Expiration Monitoring
Time-sensitive documents — investigator CVs, GCP training certificates, financial disclosures, regulatory approvals — are monitored against their expiration dates. Alerts are generated at configurable intervals (e.g., 90, 60, 30 days prior to expiration) with tiered escalation as the date approaches.
Version Currency Enforcement
Every site must operate on the current, approved version of protocol, ICF, and supporting documents. The OS cross-references documents in each site's eTMF section against the current approved versions, flagging any site operating on a superseded document — one of the most common and preventable inspection findings.
10 Deviation Management
Deviation Detection, Classification & Remediation
Every deviation is detected in real time, classified by regulatory severity, linked to the specific violated protocol section and regulatory citation, and presented with prescriptive remediation guidance — before it compounds.
Severity Classification Framework
| Severity | Definition | Examples | Notification Cadence | Escalation |
|---|---|---|---|---|
| Critical | Immediate regulatory or subject safety risk. Reporting window violations. | SAE not reported within 24/7/15 days; protocol eligibility violation; unauthorized modification of primary endpoint data | Immediate (real-time alert + email within minutes) | Medical Monitor + Clinical Lead + Sponsor QA |
| Major | Significant protocol violation with potential data integrity or safety impact | Missed required visit outside window; unapproved ICF version used; missing lab assessment at required timepoint | Same-day notification | CRA + Site + Clinical Lead |
| Moderate | Protocol deviation with limited direct impact but requiring formal documentation | Assessment performed outside protocol window; incorrect kit dispensed and returned; partial visit completion | Within 24–48 hours per protocol SOP | CRA + Site Coordinator |
| Minor | Administrative or documentation gap not affecting data integrity or subject safety | Missing signature on non-critical document; minor date discrepancy in source record; documentation lag within acceptable window | Scheduled remediation review cycle | Site Coordinator notification |
Regulatory-Citation-First Output Format: Every deviation flag presented in the dashboard or notification email will include: (1) Deviation Type and Severity; (2) Specific Protocol Section violated (e.g., "Section 7.3, Visit 3 Assessment Window"); (3) Applicable Regulatory Citation (e.g., "ICH E6(R3) Section 5.1.3"); (4) Evidence supporting the flag (ingested data vs. expected value); (5) Remediation Suggestion based on regulatory guidance; (6) Responsible Party; (7) Regulatory reporting deadline where applicable.
Deviation Types Monitored
Temporal Deviations
Visit window violations, assessment timing errors, SAE reporting delays, late entry in EDC, consent obtained after procedures
Data Integrity Deviations
Schema inconsistencies, incomplete CRF fields, cross-system data mismatches, unanticipated values outside reference ranges
Eligibility Deviations
Inclusion/exclusion criteria violations, randomization errors, subject enrolled without complete screening
Documentation Deviations
Missing required source documents, unsigned documents, expired certifications, incorrect document versions in use at site
Procedural Deviations
Incorrect study procedure performed, unauthorized protocol modification at site level, unplanned assessments not documented per protocol requirements
Safety Reporting Deviations
SAE narrative incomplete, MedDRA coding missing, causality assessment absent, regulatory authority notification outside mandated window
11 Notification Engine
Priority-Weighted, Regulatory-Anchored Notifications
Notification timing and escalation paths are derived directly from the protocol and applicable regulatory reporting timelines — never arbitrary.
Notification Channels
All notifications are delivered via:
- In-Platform Dashboard: Persistent action items with status tracking
- Automated Email: Direct to responsible party with full regulatory context
- Escalation Chain: Protocol-defined supervisor notification if unresolved
- In-App Acknowledgment: Recipients must log receipt of critical alerts
Remediation Velocity Tracking
The system tracks every issue through to resolution:
- Issue opened timestamp (detection in source data)
- Notification sent timestamp (responsible party)
- Acknowledgment timestamp (human receipt confirmation)
- Resolution timestamp (correction confirmed in source system)
- Time-to-resolution metric per site and per issue type
SAE Reporting Timeline Enforcement: SAE notifications are governed by hard regulatory windows — ICH E2A defines 7-day (fatal/life-threatening unexpected SUSARs) and 15-day (all other unexpected SUSARs) expedited reporting requirements. The system triggers immediate alerts at detection, with re-notification at defined intervals (e.g., 50%, 75%, 90% of window elapsed) until the reporting event is confirmed in the source system. Elapsed-window violations generate Critical severity deviations.
12 Dashboard Specification
Command Center for Clinical Governance
The dashboard provides every user role with a purpose-built, role-scoped view of trial health, compliance status, and actionable items — updated in real time.
Primary Dashboard Modules
Trial Health Overview
Real-time composite compliance score across all active sites and domains. Color-coded heat map of open issues by severity, site, and functional area. Trend lines showing remediation velocity over time. Protocol epoch indicator (current approved version).
Action Queue
Prioritized list of all open remediation items, filtered by role. Each item displays: issue type, severity, responsible party, deadline, protocol citation, regulatory citation, and prescribed remediation action. Items auto-close when the correction is confirmed via real-time ingestion.
eTMF Health Monitor
Zone-by-zone completeness status against the eTMF Reference Model. Signatures pending. Documents approaching expiration (with days remaining). Sites with incorrect document versions. Quick-access links to each flagged item.
Deviation Analytics
Trend analysis of deviation frequency by type, site, and severity over the trial lifecycle. Remediation velocity metrics: average time-to-resolution per issue category. Site-level performance comparisons for systemic bottleneck identification.
Data Collection Status
Subject-level and visit-level activity completion status against protocol time-and-events table. Missing assessments. Upcoming visits with readiness pre-check. Enrollment status against protocol targets.
Amendment Propagation Tracker
Status of all post-amendment required actions: ICF updates, IRB submissions, site data collection adjustments. Each action item tracked to completion. Amendment epoch history with effective dates.
13 Roles & Permissions
Role-Based Access & Accountability
Access to the system is strictly role-based, ensuring that each user sees only the data and actions relevant to their accountabilities — consistent with ICH GCP delegation requirements.
| Role | Scope | Primary Dashboard View | Action Permissions |
|---|---|---|---|
| Sponsor QA / Regulatory Lead | Full trial, all sites | Trial-wide compliance health, critical deviations, audit trail | View all; approve protocol rules; export audit packages |
| Clinical Project Manager | Full trial, all sites | System health overview, remediation velocity, site performance | View all; manage action escalations; monitor team accountability |
| Medical Monitor | Full trial — safety focus | SAE log, safety reporting compliance, deviation severity queue | View all safety data; classify major/critical deviations |
| Clinical Research Associate (CRA) | Assigned site(s) | Site-specific action queue, eTMF completeness, visit readiness | View site data; acknowledge notifications; add monitoring comments |
| Data Manager | EDC data domain | Data collection status, schema flags, missing fields | View data quality metrics; generate data queries |
| Regulatory Affairs | Regulatory documents | Amendment propagation tracker, IRB status, regulatory submissions | View regulatory domain; manage amendment workflow |
| Site Coordinator (Read-Only) | Single site — limited | Site-level action items only | View site-specific items; acknowledge receipt of notifications |
| System Administrator | Configuration only | Connector health, system logs, user management | Manage users, connectors, system configuration; no clinical data modification |
14 Amendment Propagation
Protocol Amendment as an Active System Event
In conventional practice, protocol amendments are uploaded to the eTMF and communicated via email — leaving the burden of downstream impact assessment to individual team members. Aurelyn Trial | OS™ eliminates this gap entirely.
The Industry Problem This Solves: "Version drift" — sites operating on superseded protocol or ICF versions — is among the most common and most serious GCP inspection findings globally. It creates subject safety risk, data integrity failures, and can render entire datasets un-analyzable. Aurelyn Trial | OS™ treats every amendment as an active trigger, not a passive document event.
01
Amendment Upload & Parsing
The approved protocol amendment is uploaded. The engine performs a differential analysis against the current protocol epoch, identifying all sections where requirements have changed, been added, or been removed.
02
Downstream Impact Analysis
For each changed requirement, the engine maps all downstream dependencies across connected systems: Does the ICF require revision? Does the IRB/IEC require a new submission? Do CRF collection endpoints need updating? Is the visit schedule or time-and-events table modified? All impacted domains are surfaced with specific action requirements.
03
Regulatory Floor Re-Validation
The amended requirements are re-validated against the regulatory knowledge base. Any new lax requirements introduced by the amendment are flagged before the new epoch is activated.
04
Human Review & Amendment Sign-Off
The impact analysis and updated rule derivations are reviewed by the Clinical Lead and/or Regulatory Affairs team. Electronic sign-off activates the new protocol epoch. Prior epoch data is preserved with full lineage — not retroactively altered.
05
Site-Level Compliance Enforcement
Upon activation, each site's compliance status is immediately assessed against the new requirements. Sites operating on superseded documents are flagged. CRAs receive targeted action items for their assigned sites. The eTMF monitor begins tracking receipt and filing of the new documents at every active site.
15 CSR / NDA Readiness
From Trial to Submission — Data Crystallization
The ultimate output of Aurelyn Trial | OS™ is not just a cleaner trial — it is the elimination of the most painful, resource-intensive phase of drug development: close-out and CSR compilation.
Because the system maintains a continuous, real-time, validated compliance record throughout the trial, the transition to CSR and NDA submission is not a reconstruction — it is a crystallization of evidence that has been accumulating since Day One.
Every deviation, its severity classification, its protocol and regulatory citation, its remediation action, and its resolution confirmation is logged, timestamped, and structured in the exact format required for CSR narrative generation. The CSR deviation table is, effectively, always current.
CSR-Ready Data Package
Pre-structured deviation summary organized per ICH E3 CSR template requirements. Complete protocol epoch history for the amendment narrative. Site performance metrics. Monitoring and oversight documentation summary. All linked to source records with audit trail.
NDA / Marketing Application Support
Full data lineage demonstrating CDISC SDTM compliance of ingested datasets. eTMF completeness report against TMF Reference Model requirements. GCP compliance summary for regulatory reviewer package. Inspection readiness certification artifact.
Strategic Value to Sponsors: Traditional CSR compilation following trial close-out can consume 6–12 months of intensive effort and significant budget. By maintaining continuous, structured, validated compliance data throughout the trial lifecycle, Aurelyn Trial | OS™ compresses this to a validation and synthesis exercise — not a discovery and reconstruction project. This reduction in close-out effort represents one of the most significant ROI opportunities in clinical development operations.
16 Regulatory Compliance
System Compliance Requirements
Aurelyn Trial | OS™ itself must operate as a validated, compliant system — subject to the same regulatory rigor it enforces on the trials it governs.
21 CFR Part 11 Compliance
Full electronic signature implementation with identity verification. Complete audit trail for all data access, rule activations, and sign-off events. System access controls with unique user identification. Audit trail data non-modifiable and reviewer-accessible. Training documentation and SOPs maintained.
Computer System Validation (CSV)
GAMP 5 Category 4/5 validation approach. Validation documentation package: IQ, OQ, PQ protocols and reports. Traceability matrix linking requirements to test scripts. Change control procedure for all system modifications. Periodic revalidation protocol.
EU AI Act — High-Risk Classification
Aurelyn Trial | OS™ is classified as a high-risk AI system under EU AI Act Annex III (clinical AI application). Compliance requirements: transparency documentation, human oversight mechanisms, accuracy and robustness standards, risk management system, conformity assessment. Full human-validation mandate is a core design response to this classification.
Data Privacy (HIPAA / GDPR)
The system ingests de-identified or pseudonymized subject-level data only. Personal data handling governed by GDPR Article 89 (research exception) and HIPAA Safe Harbor provisions. Data Processing Agreement (DPA) required with all source system providers. Data residency controls for EU-based trials.
17 Security & Validation
Enterprise Security Architecture
Security requirements for a validated clinical system operating in a regulated environment demand enterprise-grade controls across every layer.
| Security Domain | Requirement | Standard |
|---|---|---|
| Authentication | Multi-factor authentication (MFA) mandatory for all users. SSO integration with enterprise identity providers (SAML 2.0, OAuth 2.0) | 21 CFR Part 11 / NIST SP 800-63B |
| Authorization | Role-based access control (RBAC) with least-privilege principles. All access decisions logged in immutable audit trail | 21 CFR Part 11 |
| Data Encryption | AES-256 encryption at rest. TLS 1.3 minimum for all data in transit. End-to-end encryption for all API connector channels | NIST FIPS 140-2 / ISO 27001 |
| Audit Trail | Immutable, time-stamped audit trail for all system events. Non-modifiable by any user including administrators. Exportable for regulatory inspection | 21 CFR Part 11.10(e) |
| Business Continuity | 99.9%+ uptime SLA. Active-active geographic redundancy. RTO < 4 hours, RPO < 1 hour. Disaster recovery plan with documented testing | GxP Data Integrity / GAMP 5 |
| Penetration Testing | Annual third-party penetration testing. Vulnerability scanning for all API connectors. Bug bounty program for responsible disclosure | OWASP / ISO 27001 |
| Change Control | All system changes subject to formal change control with impact assessment and regression testing. No "hotfixes" to validated production environment | GAMP 5 / 21 CFR Part 11 |
| Data Integrity | ALCOA+ principles enforced for all ingested data: Attributable, Legible, Contemporaneous, Original, Accurate. Data hashing at ingestion to detect tampering | FDA Data Integrity Guidance 2018 |
18 Implementation Roadmap
Phased Build & Delivery
A four-phase development roadmap from foundational infrastructure to full commercial deployment, with validation milestones at each phase gate.
Phase 1 — Foundation
Regulatory Knowledge Base & Core Architecture
Establish the Regulatory Knowledge Base (all pre-loaded standards). Build the canonical data model and normalization framework. Develop the core authentication, RBAC, and audit trail infrastructure. Define and document the CSV/validation approach (IQ/OQ/PQ framework). Build the first three API connectors: EDC, eTMF, CTMS.
Months 1–4
Phase 2 — Intelligence Engine
Protocol Logic Engine & Deviation Detection
Build the Protocol Logic Engine (parsing, rule derivation, human sign-off workflow). Deploy the real-time deviation detection system with severity classification. Implement temporal enforcement (SAE windows, visit windows, reporting deadlines). Build remaining API connectors: Safety System, IVRS/IWRS, Central Lab, Regulatory Platform. Initial dashboard — Clinical PM view and CRA view.
Months 5–9
Phase 3 — Operational Features
eTMF Intelligence, Amendment Propagation & Notifications
Deploy the Operational eTMF monitoring suite. Build the Amendment Propagation workflow with downstream impact analysis. Implement the priority-weighted notification engine with regulatory-anchored cadence. Build remediation velocity tracking and site performance analytics. Complete dashboard suite — all role views. Begin validation activities (OQ execution).
Months 10–14
Phase 4 — Validation & Commercial Launch
CSR Package, Full Validation & Pilot Deployment
Build the CSR Data Crystallization package and NDA-ready export functionality. Complete Performance Qualification (PQ) and validation documentation package. SOPs, user training program, and onboarding workflow. Pilot deployment with one sponsor client (single trial, monitored environment). Full commercial launch with SLA and support structure in place.
Months 15–20
19 Risk Considerations
Identified Risks & Mitigations
A candid assessment of the primary technical, operational, and regulatory risks in this architecture — each with a defined mitigation strategy.
| Risk | Category | Impact | Mitigation |
|---|---|---|---|
| Semantic Mapping Drift — source system field-level changes misinterpreted as clinical data | Technical | Critical | Schema drift detection layer within each connector; automated alerts on any structural API change; human review required before ingestion resumes post-schema-change |
| Alert Fatigue — volume of notifications desensitizes functional teams | Operational | Major | Strict severity classification; role-scoped notifications (users see only their items); remediation velocity monitoring enables PM to identify systemic bottlenecks early |
| Protocol Parsing Gaps — complex or non-template protocol sections may be incompletely extracted | Technical | Major | Human expert review and sign-off of all derived rules before activation; mandatory flag for any section where extraction confidence is below threshold |
| API Connector Failures — source system downtime disrupts real-time ingestion | Technical | Major | Connector health monitoring with immediate alert on ingestion interruption; queued re-ingestion on reconnection; dashboard indicator for last-sync timestamp per system |
| Regulatory Standard Updates — new guidance invalidates pre-loaded regulatory rules | Compliance | Major | Controlled versioning of Regulatory Knowledge Base; annual review cycle; immediate update protocol for major guidance changes; notification to all active trial instances on regulatory version update |
| Human Validation Bottleneck — sign-off workflows delay trial start or amendment activation | Operational | Moderate | SLA-defined turnaround expectations for human review; escalation path if reviews are not completed within protocol-defined timeframe; parallel review workflow for multiple approvers |
| Data Privacy Breach — inadvertent ingestion of unmasked subject PII | Privacy / Legal | Critical | Connector-level PII stripping and pseudonymization before data enters the Aurelyn layer; privacy impact assessment per source system; GDPR/HIPAA DPA requirements enforced at onboarding |
Aurelyn AI Clinical · Philadelphia, PA · 2026
One Source of Truth.
Every Trial. Every Site. Every Moment.
Aurelyn Trial | OS™ — where clinical compliance shifts from retrospective reconstruction to real-time governance, and where every deviation found today protects a patient tomorrow.
Aurelyn Clinical Engines™
Aurelyn Trial | OS™
Proprietary · Confidential