Regulatory posture · Compliance & integrity

Built so the output can withstand a reviewer.

A Brioche brief is meant to be read by people whose decisions face regulatory scrutiny. The standard of evidence we hold ourselves to is the standard those readers hold themselves to. Cited to source. Dated. Reviewed by a named human. Auditable end-to-end.

Cited claims
100%
Reviewer
Named, signed
Audit retention
7 years
Data integrity
ALCOA+
01  —  Standards

The frameworks we are built against.

Brioche is not itself a regulated medical device. The methodology, however, is built to the conventions a regulated submission requires — so that an output cited inside a regulatory dossier inherits the integrity of the practice that produced it.

ALCOA+ · Data integrity
Every claim is attributable, legible, contemporaneously recorded, original (or a true copy), accurate, plus complete, consistent, enduring, and available. Source ledger updates and reviewer actions are captured contemporaneously, with no post-hoc edits.
21 CFR Part 11
Electronic records and signatures are version-controlled. Every brief is signed by a named reviewer. Edit history is retained. The reviewer's identity, the timestamp, and the signed payload are recoverable from the audit trail.
IEC 62304 · Class B
The software lifecycle behind the practice — version control, change management, requirements traceability, defect management — follows IEC 62304 Class B medical-device-software conventions. The methodology itself is auditable end-to-end.
ISO 14971
Risk management for the software practice — failure modes, corrective & preventive action, post-delivery monitoring — is structured to ISO 14971 conventions.
ICH E6 (R3)
Validated algorithms, frozen models, and reproducibility — the conventions ICH E6 (R3) requires of computational components in clinical research — applied to every step of the analytical workflow.
02  —  Provenance

Every claim, traceable to a primary source.

A claim in a Brioche brief is not "the literature says." It is "the FDA review for NDA 022291 says, on page 47, retrieved 2026-03-12, reviewed by SK." The full chain is preserved.

Secondary syntheses are useful as a starting point. They are never the source of a claim. Every load-bearing statement in a brief is anchored to a primary regulatory document, a primary clinical trial registry record, a primary patent filing, a primary SEC filing, or a primary peer-reviewed publication.

The reviewer reads the source. The source ID is in the brief. The retrieval log is in the audit trail. The version of the source at retrieval is preserved in the workspace for the seven-year retention window.

Reference card · BB-CITE No. 0142 · Illustrative
Claim
Eltrombopag was approved with a hepatotoxicity REMS based on Grade 3 ALT/AST elevations observed in early studies.
Primary source
FDA · Drugs@FDA · NDA 022291 · Medical Review · § 7.4
Retrieval
2026-03-12 14:08 UTC
Workflow rev
META-REG-PATHWAY · v3.4.1
Confidence tier
High · primary regulatory record · single-source confirmed
Reviewer
SK · 2026-03-13 · signed
Hash
sha256:9af41d…b720c1

See the source coverage and methodology

03  —  Review

A named human signs every brief.

The single most consequential step in the methodology is the one that happens last. Before a brief leaves the practice, a named reviewer reads the analysis end-to-end against the cited primary sources. The reviewer's identity is on the brief. The signature is on the audit trail.

The reviewer is not a rubber stamp. The reviewer can reject a brief. When that happens — when a claim does not survive the source check, when a citation does not actually support the assertion, when a recommendation does not follow from the evidence — the brief returns to the analytical workflow with a written rejection note. The rejection is preserved. The corrective work is captured.

This step is where regulatory-grade comes from. Not the methodology alone. The methodology, plus a human who has to put their name on it.

04  —  Audit trail

Seven years. End-to-end. Recoverable.

Every engagement ships with an audit trail bundled alongside the deliverable. The same artifact that is delivered to the client is the artifact retained, hash-pinned, for seven years.

The audit trail captures: the engagement scope as written at kickoff; every source retrieved and the timestamp at which it was retrieved; every claim made in the brief and the source it ties to; every analytical workflow rev that produced an intermediate output; the named reviewer's signature on the final brief; and any rejection-and-rework cycle that occurred along the way.

If a claim is ever challenged — by an FDA reviewer, by a board, by a counterparty in due diligence — the chain back to the primary source is recoverable in minutes, not weeks.