V5 Ultimate
Module · 21 CFR Part 11

21 CFR Part 11the operating model, not a checkbox.

Other systems bolt Part 11 on top. V5 enforces it at the database layer so application code can never rewrite history.

Start free — no card
Anatomy of an e-signature

Part 11 isn't a binder.
It's six things every record must prove.

Most "Part 11 compliant" systems have a signature box and call it a day. Pull the cover off and the proof isn't there. Here's what's actually inside a V5 signed record — click any part to dissect it.

Signed record · WO-44182 · BPR step 14 — release decision
e-signature · §11 envelope
Chain intact · re-verified on every export
Dissecting
§11.200(a) · §11.10(d)
Signer identity
Unique credential, re-authenticated at the moment of signing
What paper / generic e-sign miss

Shared kiosk session. Initials in a binder. No proof the named operator was physically present.

What V5 captures

Per-user PIN/password (+ MFA optional) re-entered at every signature. Session not re-used.

Evidence captured
user_id: u_8821 · M. Rivera · re-auth: PIN+OTP · device: KIOSK-12
21 CFR Part 11 · EU GMP Annex 11 · MHRA Data Integrity

Part 11 is not a feature. It's the substrate.

You can't bolt 21 CFR Part 11 onto a system designed without it. Every record, every signature, every edit in V5 lives inside a single bell jar of cryptographic accountability — the same shape an FDA inspector wants to read.

eBMRAudit traile-signaturesSOPsRecipesTrainingEmail✕ uncontrolledSpreadsheet✕ uncontrolledPaper note✕ uncontrolledShared drive✕ uncontrolled
Inside vs outside the jar

If it matters, it's inside.

The 483 you don't want says "the operator emailed the calibration certificate to QA." Anything that lives in email, spreadsheets, shared drives or a paper notebook is outside the jar — and outside Part 11. V5 pulls those records inside.

Inside · sealed · auditable
Outside · uncontrolled · risk
§11.50 · the anatomy of a signature

A V5 signature carries five inseparable pieces.

Identity

Role-bound user, password re-prompted at click

Timestamp

Server-side UTC, NTP-locked, ±30ms

Meaning

Verbatim 'Approved as QA', captured next to the signature

Binding

Cryptographic hash of the record being signed

Replay

Re-displayable byte-for-byte at audit time

§11.10(e) · the audit trail

Every action. Replayable. Forever.

The audit trail isn't a log file — it's a queryable record. Filter by record, by user, by time window, by action type. Export signed. Inspectors stop asking; the trail is the answer.

audit trail · live
14:02:11ZS.AokiSIGNeBMR B-44871 · Approved as QA
14:01:54ZS.AokiVIEWDEV-2025-0918 · Reviewed deviation
13:58:02ZM.ReyesEDITBR step 5 note · added pH retest note
13:57:18ZM.ReyesSIGNstep 5 retest · Performed by
13:52:01ZL.ParkWITNESSstep 5 retest · Witnessed
11:14:08Z(sys)HOLDB-44871 · auto: pH OOS
483 patterns we've seen

The seven ways Part 11 systems actually fail.

Shared logins (a/k/a 'the night shift account') — V5 makes them impossible by binding signatures to a real, role-tagged user.
Edits not in the audit trail because the underlying field was 'just metadata' — V5 audits all GxP-relevant edits, including metadata.
Audit trail purged on rotation — V5 retains for the regulated lifetime + 1 year, retention configurable per record class.
Timestamps from the client device — V5 stamps server-side, NTP-locked.
E-signature without a meaning string ('e-sig captured' but not 'Approved by QA') — V5 forces the §11.50 meaning prompt.
Validation done once at go-live and never re-run on configuration changes — V5 ties the RTM to change control so re-qual is automatic.
Backups that no one has ever tested restoring — V5 runs and logs quarterly restore drills.

An inspector reads V5 like a book.

V5

Curious how Part 11 actually behaves in V5?

Connected

Every module writes into the same Part 11 substrate — not a side log.

MES, eBMR, doc control, QMS, calibration and analytics all emit signed, hash-chained records — so "Part 11 coverage" is a property of the record, not a separate audit module.

MES · kiosk
Every operator action — scan, charge, signature, witness — is recorded with identity, time and meaning.
eBMR / eDHR
The batch record is born signed and append-only; review-by-exception works because every step is provable, not just visible.
Doc control
Draft, approve, publish, supersede and train events are all signed — the SOP lifecycle is Part 11 from the start.
Signed
Record
one substrate
QMS · CAPA
Deviations, CAPAs, change controls and effectiveness checks are signed events on the same chain — no parallel eQMS audit.
Calibration
As-found / as-left readings and certs are signed records; cal status enforcement is itself Part 11-traceable.
Analytics
Read-only mirrors of the signed records — never a separate cube to reconcile against the audit trail.
"Part 11 ready" without a Part 11 module.
There's nothing to bolt on — the substrate is the answer.
V5

Wondering how Part 11 sits across the rest of your stack?

When it gets messy

The edge cases a "Part 11 module" usually fails on.

Four moments where Part 11 is either a property of the system — or a documentation exercise that won't survive the inspection.

Shift handoff at a shared kiosk

Outgoing operator signs out, incoming operator re-auths with their own credentials — two distinct signing components, every time. No 'stay logged in,' no shared accounts, no 'I signed for him.'

14:58 · P.Singh signs out · re-auth captured
15:01 · J.Okonkwo signs in · password + MFA
✓ next signing event re-auths · two-component, every time

Clock drift across plants and time zones

Every kiosk and server is NTP-synced; signatures carry UTC + local offset. If a node drifts beyond tolerance, V5 refuses to accept signing events from it — not a quiet ten-minute hole.

kiosk-A07 · NTP drift 0.4 s · within tolerance ✓
kiosk-B12 · NTP drift 2.1 s · within tolerance ✓
kiosk-C03 · drift 14 s · signing rejected · alert raised

Witness signature required by SOP

When the SOP demands it (e.g. charge of an active), the kiosk requires a second qualified operator to re-auth on the spot. The witness is a property of the step — not a memo to QA after the fact.

step 04 · charge of API · witness required (SOP)
↳ P.Singh signs · meaning: "charged"
↳ M.Patel re-auths · meaning: "witnessed"
✓ witness is a property of the step · not a memo to QA

Records still readable in 2046

Every signed record exports as a human-readable PDF rendition + machine-readable JSON + independent hash manifest. Re-verifiable on any system, not 'log into our old web app and hope.'

eBMR-88412.pdf · human-readable rendition
eBMR-88412.json · schema-versioned machine record
eBMR-88412.hashes · independent re-verification
✓ readable + verifiable in 2046 · no vendor lock-in
V5

Got a Part 11 edge case the team's worried about?

Engineered on
21 CFR Part 11 e-signatures
Immutable audit trail
Multi-tenant RLS isolation
GS1-128 license plates
Two-way ERP adapters
Instead of an FAQ

Just ask V5 — it knows the product cold.

Pick a question or type your own. V5 answers grounded in how 21 cfr part 11 — e-signatures, audit trail, immutability | v5 ultimate actually behaves on the floor.

Got questions, or want to see it on your shop floor?

Ask V5 — our code-aware assistant — or spin up a workspace. Both are free.