IntuitionLabs
AI Technology Vision

Werum PAS-X AI Integration & MCP Agents

Empowering pharmaceutical and life science organizations with cutting-edge AI solutions.

AI Capabilities We Build on Werum PAS-X

Batch Record Query Agents
Natural-language access to PAS-X batch history. QA and MSAT users ask "show me batches of product X with chromatography deviations in 2025" and get cited, sourced answers.
Deviation Triage Assistant
Match new deviations against historical analogues, suggest root cause categories, and surface relevant CAPAs. Drafts that QA edits and submits with their own e-signature.
Review by Exception Copilot
Surface flagged exceptions in the batch record, attach historical context, and propose dispositions. Reviewer maintains final authority and signature.
Operator Copilot
In-context recipe assistant for shop floor operators: where am I, what comes next, what equipment is expected. Read-only with scoped access matching the operator role.
PAS-X Savvy Augmentation
Wrap PAS-X Savvy with a conversational layer for non-power users. KPI exploration in natural language, with charts and source records cited inline.
Tech Transfer Knowledge Agent
Cross-site batch comparison for tech transfer: cycle times, yields, deviation patterns, and equipment configurations across origin and receiving sites.

How MCP Agents Connect to PAS-X

The Model Context Protocol is an open standard for connecting AI assistants to enterprise systems with explicit tool definitions, scoped permissions, and audit boundaries. For PAS-X we expose MCP tools that wrap REST endpoints — batch lookup, deviation history, equipment status — under the calling user's identity. The model never touches the database; every call is mediated, logged, and bounded by the user's PAS-X role. See the MCP specification.
MCP agents connecting to Werum PAS-X over scoped REST tools

Grounded in Real Records, Not Narrative

Every agent response cites the PAS-X records it draws from — batch ID, deviation ID, equipment ID — so claims are traceable rather than narrative. The model cannot invoke a lookup with a fabricated ID without the MCP boundary catching it, and never asserts a record exists without the tool returning it first. This grounding pattern is consistent with the FDA draft guidance on AI in regulatory decision-making.
AI agent answers grounded in real PAS-X records with citations

Validated Like Any GxP System

The agent platform is treated as GAMP 5 Category 5 custom software: URS, FS/CS, IQ/OQ/PQ, validation summary report, change control. Adversarial testing — prompt injection per OWASP LLM Top 10, hallucinated record IDs, role escalation — is part of OQ. Audit trails feed into your existing GxP audit infrastructure.
AI agent on PAS-X validated under GAMP 5 with adversarial testing

Architecture Pillars for AI on PAS-X

Identity Propagation

User identity from your SSO flows through the agent gateway to the PAS-X REST API. Agent inherits the user's PAS-X role and audit attribution, no service account bypassing RBAC.

Learn more

MCP Tool Boundary

Model Context Protocol tools wrap PAS-X endpoints with scoped permissions and explicit definitions. Model never touches the database directly. Every call mediated, logged, and bounded.

Learn more

Read-Then-Human-Write

Agent reads PAS-X freely, drafts deviations and CAPAs, but never writes. Human reviews and submits with their own electronic signature, preserving Part 11 attribution and intent.

Learn more

Grounded Citations

Every claim cites the underlying PAS-X record. Batch IDs, deviation IDs, equipment IDs surfaced inline so reviewers can verify. Hallucination contained at the tool boundary.

Learn more

Adversarial Hardening

Prompt injection mitigation per OWASP LLM Top 10. Input filtering on retrieved free-text fields, structured tool outputs, and red-team testing built into OQ validation.

Learn more

Provider Portability

Model-agnostic via enterprise gateway. Anthropic Claude, OpenAI GPT, Google Gemini, or self-hosted Llama. Agent architecture portable across providers without re-validation of business logic.

Learn more

High-Value AI Use Cases on Werum PAS-X

Batch Cycle Time Inquiry

QA staff ask "what is the typical batch cycle time for product X on line Y over the last 12 months" and get a sourced answer with cited batch IDs.

Deviation Pattern Match

New deviation submitted; agent retrieves the 5 most similar historical deviations, summarizes root causes, and surfaces relevant CAPAs.

Tech Transfer Comparison

MSAT compares cycle times, yield, and deviations between origin and receiving sites for a product undergoing tech transfer, grounded in real batch data.

Review-by-Exception Triage

Reviewer opens batch; agent surfaces flagged exceptions, attaches historical context for each, and proposes dispositions for human review.

Equipment History Lookup

Maintenance asks "show me cleaning and qualification history for equipment Z" and gets a chronological sourced summary.

Cross-Batch Anomaly Search

Operations searches for batches with similar in-process anomalies across product families to support trend detection and CAPA prioritization.

Our Engagement Model for AI on PAS-X

AI on PAS-X programs fail when teams try to do too much in the first agent — autonomous deviation closure, end-to-end batch release. We start narrow and read-only, prove the audit and validation pattern works, then expand. The first agent is typically a batch history query assistant that ships in a quarter, including GAMP 5 validation and adversarial OQ testing. Subsequent use cases reuse the platform.

Discovery & Use Case Selection

Two to three week sprint with QA, MSAT, and operations to identify the highest-value first agent and scope MCP tools, validation depth, and acceptance criteria.

Build & Validate

Eight to twelve week build of agent platform, MCP tools, prompts, and validation package. Includes adversarial OQ testing for prompt injection and hallucination.

Iterate & Expand

Subsequent agents in four to eight week increments. Reuse platform, add tools, expand scope. Each agent independently validated and released into production.

Today's business insights

Profitable growth in the AI solutions industry

Our CEO discusses how AI is transforming the pharmaceutical industry and shares key strategies for leveraging AI in drug discovery and development.

More insights on unlock profitable growth in ai solutions
Profitable growth in the AI solutions industry

Standards We Reference for AI on PAS-X

GAMP 5 for AI/ML
ISPE GAMP 5 Second Edition explicitly addresses AI and machine learning systems. We use it as the primary validation framework for PAS-X agents.
FDA AI Guidance
FDA draft guidance on AI in regulatory decision-making for drug and biological products. We design agents to meet emerging FDA expectations on AI lifecycle management.
OWASP LLM Top 10
OWASP Top 10 for LLM Applications covers prompt injection, insecure output handling, and other LLM-specific risks. Built into our adversarial OQ test suites.
NIST AI RMF
NIST AI Risk Management Framework. We use it as the governance backbone for AI deployments on PAS-X, mapped to GAMP 5 controls.
ALCOA+ for AI Outputs
AI outputs that inform GxP decisions must respect ALCOA+ principles. Citations, source traceability, and audit retention enforced at the agent platform level.
MCP Specification
Model Context Protocol open specification. The integration layer between the LLM and PAS-X. Open spec means tooling and audit patterns can be standardized across the industry.

AI on PAS-X — Frequently Asked Questions

Pharma manufacturing generates enormous volumes of structured batch data — every batch record, every deviation, every equipment cleaning event — and the cost of accessing that knowledge through traditional reporting is high. AI agents on top of Werum PAS-X let QA, MSAT, and operations staff query batch history in natural language, triage deviations against historical analogues, and surface review-by-exception findings without writing SQL. The economic case rests on three things: faster batch release, faster deviation closure, and broader access to manufacturing knowledge. We build these workflows with full audit, scoped access, and validation aligned to ISPE GAMP 5 Second Edition.
The Model Context Protocol is an open standard introduced by Anthropic for connecting AI assistants to enterprise systems with explicit tool definitions, scoped permissions, and audit boundaries. For PAS-X, we expose MCP tools that wrap PAS-X REST endpoints — read batch records, query deviation history, fetch equipment status — with scoped credentials matching the operator role of the user invoking the agent. The protocol cleanly separates the LLM (which never has direct database access) from the data layer, which is essential when the underlying system is GxP-validated. Read the MCP specification for the full architecture.
PAS-X Savvy is Körber's self-service analytics and AI tool for batch data — statistical process control, deviation root cause analysis, and right-first-time tracking. It is excellent for QA and MSAT power users who want to author their own analyses. Our MCP-based AI layer is complementary: a conversational interface that anyone in operations can use to ask "what is the typical batch cycle time for product X on line Y" or "show me batches with deviations involving the column packing step in the last 90 days" without learning Savvy or writing queries. We typically deploy both — Savvy for power users, MCP agents for everyone else.
The agent itself is treated as a GAMP 5 Category 5 custom application: requirements, design, configuration, IQ/OQ/PQ, and traceability matrix. Crucially, the LLM does not write to PAS-X. It reads via scoped MCP tools, with every call logged. When a user wants to take an action — draft a deviation, propose a CAPA — the agent generates a draft that the human reviews and submits through the standard PAS-X UI with their own electronic signature. This separation preserves 21 CFR Part 11 e-signature integrity and gives inspectors a clean attribution chain. See PAS-X compliance and validation.
The four highest-value AI use cases on PAS-X in our experience are: (1) review-by-exception copilots that surface flagged batch entries and the historical context for each anomaly; (2) deviation triage assistants that match new deviations against historical analogues and suggest root cause categories; (3) natural-language batch history queries for QA, MSAT, and tech transfer; (4) operator copilots that answer "where am I in the recipe, what comes next, what equipment am I expecting" against the active batch context. All four are read-only patterns that defer write actions to the human, which keeps them within Part 11 boundaries.
Every agent response is grounded in retrieved PAS-X records, and every retrieval is logged with the user, the timestamp, the query, and the records returned. The agent surfaces source records to the user — batch ID, deviation ID, equipment ID — so claims are traceable rather than narrative. We align this design to the MHRA and FDA data integrity guidance: attributable, legible, contemporaneous, original, accurate, plus complete, consistent, enduring, and available (ALCOA+). The agent is a search and summarization tool, not a record-of-truth.
This is a real and serious risk in unconstrained LLM deployments and the reason we never let the model speak about specific records without retrieval. The agent architecture forces a tool call to PAS-X for any specific batch, deviation, or equipment ID — the model cannot invoke a lookup tool with a fabricated ID without it being caught at the MCP boundary, and the model never asserts a specific record exists without the tool returning it first. We test this aggressively during validation, including red-team prompts that try to coax the model into hallucinated batch numbers. This pattern is consistent with the FDA draft guidance on AI in regulatory decision-making.
We are model-agnostic and route through an enterprise gateway that supports Anthropic Claude, OpenAI GPT, Google Gemini, and self-hosted open-weight models. For PAS-X agents specifically, we typically default to Anthropic Claude on AWS Bedrock or Azure AI Foundry for tool-use reliability and the strongest available data residency story. Some customers self-host open models like Llama in their own VPC for sensitive batch data. We architect the agent to be portable across providers via the gateway abstraction.
Every agent invocation runs under the calling user's identity, propagated from your single sign-on through the agent gateway to the PAS-X REST API. The agent inherits the user's PAS-X role and can only see what they would see in the PAS-X UI. We do not introduce a service account that bypasses RBAC. Audit trails on the PAS-X side show the original user, not the agent, as the data accessor — which is what Part 11 requires for attribution.
The agent can draft deviation text, summarize historical CAPAs, and propose root cause categories — but the actual record creation in PAS-X always passes through the human, who reviews the draft, edits it, and submits with their own electronic signature in the PAS-X UI. We deliberately do not give the agent direct write access to PAS-X. This preserves Part 11 e-signature integrity and keeps the human in the legal record-of-truth. Customers occasionally push for autonomous write actions; we resist this until regulatory clarity catches up to autonomous AI agents in GxP contexts, which is still emerging in FDA AI guidance.
A first MCP-based agent on PAS-X — typically a read-only batch history query assistant — runs 8 to 12 weeks from kickoff: requirements, MCP tool design, agent prompt engineering, validation, and pilot rollout to a single production area. Adding subsequent use cases (deviation triage, review-by-exception copilot, operator copilot) reuses the agent platform and runs 4 to 8 weeks each. We build the platform once and add capabilities iteratively — this avoids the common failure mode of trying to do too much in the first agent and slipping into a multi-quarter program with no value delivered.
Prompt injection — where an attacker embeds adversarial instructions in input data the agent retrieves — is a known and active class of vulnerability documented in the OWASP Top 10 for LLM Applications. We mitigate with multiple layers: input filtering on retrieved batch comments and deviation descriptions, structured tool outputs that are not freely interpretable as instructions, scoped tool permissions so even a successful injection cannot exfiltrate data outside the user's PAS-X role, and audit on every tool call. The agent platform is treated as a security boundary, not just an analytics product.
Ready to Bring AI Agents to Your Manufacturing Floor?
Ready to Bring AI Agents to Your Manufacturing Floor? image

Ready to Bring AI Agents to Your Manufacturing Floor?

From batch record query agents to deviation triage and review-by-exception copilots — fully grounded, audited, and validated under GAMP 5. Let us scope a first agent for your PAS-X environment.

Book a Meeting

© 2026 IntuitionLabs. All rights reserved.

Privacy PolicyTerms of ServiceBook Meeting