Validated by architecture,
not by promise.
Other vendors bolt compliance on top of generic systems. V5 Ultimate bakes it into the persistence layer — audit trails fire from database triggers, RLS enforces isolation, and signatures capture an immutable snapshot at the moment of signing.
How V5 Ultimate delivers defensible compliance
21 CFR Part 11 E-Signatures
Re-authentication, meaning of signature, immutable record snapshot, and signed manifest hash on every controlled action.
Immutable Audit Trail
Every create / update / delete captured at the database tier. Append-only — no application code can rewrite history.
Tenant & Role Isolation
Postgres row-level security enforces tenant boundaries and role permissions on every query — not in app code.
Validated Cloud Infrastructure
IQ/OQ/PQ documentation supplied per release. SOC 2 controls, encrypted at rest and in transit, regional data residency.
Every regulator. Every record.
FDA Electronic Records & Signatures
Authentication controls, audit trails, time-stamped signatures, system documentation — all native.
FDA cGMP for Pharmaceuticals
Master batch records, deviation control, change control, supplier management.
FDA QSR for Medical Devices
Design controls, eDHR, complaint handling, CAPA — aligned with ISO 13485.
Medical Device Quality Systems
Risk-based document control, training records, supplier scorecards.
FDA Food Traceability Final Rule
Critical Tracking Events (CTE) and Key Data Elements (KDE) capture and export.
Global Food Safety
Pre-op checks, sanitation, allergen segregation, mock recall workflows.
EU GMP — Computerised Systems
Validation, change management, electronic records aligned with EMA expectations.
Modernization of Cosmetics Regulation
Facility registration, product listing, adverse event reporting workflows.
Meat & Poultry Inspection
Pre-shipment review, label approval workflows, lot-level traceability.
Long-form guides to the regulations themselves.
Plain-English pillar pages written by our compliance team — each cites the exact CFR / Annex clause, shows the common failure mode, and links back to the V5 control that closes it.
21 CFR Part 11
Electronic records & signatures — Subpart B & C, audit trails, CSV/CSA, open vs closed systems.
eBMR — Electronic Batch Records
21 CFR 211.188, accurate reproduction of the MMR, e-signatures on the BMR, Annex 11 alignment.
MMR — Master Manufacturing Record
21 CFR 211.186, two-person approval, immutability + versioning, MMR vs Master Formula.
eDHR — Electronic Device History Record
21 CFR 820.184, DHR vs DMR vs DHF, UDI capture, rework & nonconformity, validation under Part 11.
FSMA 204 — Food Traceability
21 CFR 1 Subpart S, FTL, CTEs & KDEs, the 24-hour report, retention, exemptions.
Clause-by-clause. Control-by-control.
Generic 'we support GMP' claims don't survive an inspection. Here is the exact clause, the exact V5 control that satisfies it, and the exact database record an auditor can pull.
| Framework | Clause | Requirement | V5 control | Record produced |
|---|---|---|---|---|
| 21 CFR Part 11 | §11.10(e) | Secure, computer-generated, time-stamped audit trails | Database-tier triggers on every regulated table | audit_log (append-only, RLS INSERT-only) |
| 21 CFR Part 11 | §11.50 | Signed records contain printed name, date/time, meaning of signature | E-sig dialog forces re-auth + meaning code + record snapshot hash | electronic_signatures.snapshot_hash + meaning |
| 21 CFR Part 11 | §11.70 | Signatures linked to records so they cannot be excised, copied, or transferred | Signature row stores sha256 of the exact record bytes at sign time | electronic_signatures (1:1 to record_id) |
| 21 CFR 211 | §211.186 | Master production record approved by 2 independent persons | Formula approval requires preparer + reviewer e-sigs; preparer cannot approve own | formulas.approved_by + reviewer_sig_id |
| 21 CFR 211 | §211.188 | Batch record is an accurate reproduction of the MMR | Released WO snapshots full MMR into work_orders.mmr_snapshot jsonb | work_orders.mmr_snapshot |
| 21 CFR 211 | §211.194 | Lab records include test data, calculations, and signatures | Lab run + instrument capture + Westgard + reviewer sig in one record | lab_runs + lab_run_signatures |
| 21 CFR 820 | §820.184 | Device History Record (DHR) demonstrates device manufactured per DMR | Discrete profile renders DHR from work-order snapshot, components, ops, sigs | regulated_reports type='dhr' |
| 21 CFR 820 | §820.198 | Complaint files maintained, evaluated, investigated | Complaints module with auto-routing to CAPA + linked lots/serials | complaints + complaint_investigations |
| 21 CFR 212 | §212.70(d) | PET drug conditional release before sterility complete | Conditional release flag + retroactive sign-off workflow on lot | lots.conditional_release + retroactive_signoff_id |
| FSMA 204 | §1.1330 | KDEs captured for each Critical Tracking Event on FTL foods | Receive / transform / ship events auto-write KDEs against the lot | traceability_events (CTE + KDE jsonb) |
| EU Annex 11 | §9 | Audit trails reviewed regularly | Audit-trail review checklist auto-scheduled with sign-off | checklist_runs (template='annex11-trail-review') |
| ISO 13485 | §4.2.5 | Records remain legible, identifiable and retrievable | Immutable record IDs + retention policy + replay-from-snapshot reports | regulated_reports + report_renders |
Not exhaustive — full clause crosswalk available in the Validation Pack. Customer-specific mappings (e.g. health-authority-specific clauses for your market) are added during onboarding.
Every shop-floor event writes a record,
and every record carries the audit trail with it.
This is what "compliance by construction" actually looks like. The operator does their job; the system captures the evidence — typed, hashed, signed, and reconciled — without anyone keeping a separate logbook.
- Receive scanDock · writes GRN · INV
- Dispense weighmentWeigh booth · writes INV · BMR
- In-process checkProduction · writes BMR · QC
- E-signatureAny station · writes BMR · QC · DHR
- QC releaseQC bench · writes QC · DHR
- Ship verificationShipping · writes DHR
- GRNGoods Receipt + lot record
- INVInventory ledger entry
- BMRBatch Manufacturing Record
- QCQuality control record
- DHRDevice History / Shipping record
Records are append-only at the database tier. Application code cannot rewrite history.
- actoruser_id + printed name
- meaningapproved · verified · rejected
- timestamp_utc2026-04-30T14:22:01Z
- snapshot_hashsha256:9c4f…b21
- before / afterfield-level diff
- reasonfree-text + reason code
- ip / device10.4.2.18 · KIOSK-03
- frameworks21 CFR §11.10(e), §211.188
Pull any audit row and you can trace it back to the operator, the workstation, the step of the released procedure, and the exact byte-level snapshot of the record at the moment of signing. Pull any batch and you can replay every event that built it. That is the evidence pack your auditor asks for — and it builds itself.
Floor event to inspector-ready PDF — one chain of custody.
IQ/OQ/PQ documentation, included with every release.
We supply Installation Qualification, Operational Qualification, and Performance Qualification protocols — pre-executed for the cloud environment, ready for your QA to attach to your validation file.
- URS / FRS / DS templates
- Risk assessment (GAMP 5 categorized)
- Pre-executed IQ for the V5 Ultimate environment
- OQ scripts mapped to functional requirements
- PQ runbook for customer validation
- Release notes with regulatory impact assessment
CREATE TRIGGER trg_audit_items
AFTER INSERT OR UPDATE OR DELETE
ON public.items
FOR EACH ROW
EXECUTE FUNCTION fn_audit();
-- captures: who, when, before, after,
-- changed_fields, reason,
-- ip, user_agent
--
-- INSERT-only RLS. No UPDATE.
-- No DELETE. Ever.