Audit Trails and Electronic Signatures

Regulatory agencies worldwide — the US FDA, EU EMA, WHO, and Japan PMDA among them — have converged on a consistent expectation: every electronic record that affects product quality or patient safety must be protected by a secure, computer-generated audit trail, and any approval or review action must be captured as a meaningful electronic signature. These two controls form the backbone of data integrity compliance in modern analytical laboratories.

What Is an Audit Trail?

An audit trail is a chronological, tamper-evident log automatically generated by the instrument software. Each entry records the identity of the operator, the exact date and time (synchronized to a trusted clock), the action performed, and — for any parameter change — both the old and new values. A compliant audit trail cannot be edited or deleted by any user, including system administrators; it can only be reviewed. The FDA and MHRA data integrity guidances explicitly state that audit trails must be retained for the same period as the records they protect and must be available for inspection.

Anatomy of a Compliant Audit-Trail Entry

A single compliant entry contains at minimum:

  • Unique record identifier and version number
  • Operator user ID and full name
  • Date and time stamp (UTC or unambiguous local time with offset)
  • Action type (create, modify, delete, print, export, sign)
  • Field changed and previous/new values (for modifications)
  • Reason for change (where required by predicate rules)

Electronic Signatures Under 21 CFR Part 11

Under 21 CFR Part 11 Subpart C, an electronic signature applied to a record must include the printed name of the signer, the date and time the signature was applied, and the meaning of the signature (such as “reviewed,” “approved,” or “released”). Each signature must be permanently linked to its record so that any attempt to copy, transfer, or falsify it is detectable. The regulation also requires that signatories confirm their electronic signature is the legally binding equivalent of a handwritten signature.

ALCOA+ Principles

The ALCOA framework — Attributable, Legible, Contemporaneous, Original, Accurate — and its extension ALCOA+ (Complete, Consistent, Enduring, Available) is the universally accepted shorthand for data integrity expectations. Audit trails directly address the Attributable and Contemporaneous requirements; electronic signatures address Attributable; tamper-evident storage addresses Original and Enduring; and controlled access addresses Accurate. Laboratories should map their data workflows against ALCOA+ to identify gaps before an inspection.

Implementation in K LAB Systems

K LAB Secure software, used alongside the View PC software, implements both audit trail and electronic signature functionality. Audit trail entries are written in real time as operators log in, run measurements, modify methods, or export data. Electronic signatures are captured with a re-authentication prompt, preventing unattended signature. All records are protected by checksum-based integrity verification, so any file-level tampering is immediately flagged when the record is next opened. Secure audit trail exports are available as signed, human-readable PDF reports suitable for regulatory submissions and inspector review.

Related Articles

← Back to Technology