Not every Vault QMS process requires validation. Scope is determined by whether a process creates or modifies records required by a GxP predicate rule, or generates electronic signatures with regulatory significance.
Records of quality events, root cause investigations, and closure decisions are GMP records under 21 CFR 211.192 and equivalent GxP regulations. Lifecycle configurations controlling approval routing and closure are in scope.
Corrective and preventive action records, effectiveness checks, and closure approvals are quality system records. Workflow configuration, e-signature steps, and notification rules for CAPA all require validation.
Change requests and impact assessments that authorise modifications to validated systems, manufacturing processes, or controlled documents are GMP-relevant. The approval workflow and electronic signature chain must be validated.
Product complaint records and internal audit findings are GMP records under 21 CFR 211.198 and ISO 13485. Lifecycle states, assignment rules, and closure approval configurations are in scope.
Personal dashboard layouts, saved filter configurations, and non-GxP reporting preferences have no record integrity impact and are excluded from validation scope with documented rationale.
Administrative objects with no connection to product quality records — e.g., internal meeting requests or non-regulated project trackers — fall outside GxP validation scope.
GAMP 5 Classification for Veeva Vault QMS
| Component | GAMP 5 Category | Validation approach |
|---|---|---|
| Standard Vault QMS platform | Category 4 | Leverage Veeva IQ/OQ; own PQ/UAT for configured workflows |
| Customer-configured workflows, lifecycles, roles | Category 4 | URS + FRA + PQ/UAT required for GxP-impacting configurations |
| Custom Vault SDK extensions (Java) | Category 5 | FS, DS, code review, full IQ/OQ/PQ required |
| Vault platform infrastructure (Veeva-managed cloud) | Infra | Supplier qualification: SOC 2, ISO 27001, Veeva IQ documentation |