Regulatory mapping¶
Validance's run records, audit trail, and workflow identity are designed to satisfy specific clauses of FDA, EU, and ISO requirements for computerised systems used in regulated environments. This page maps each Validance deliverable to the regulatory text it corresponds to.
This page is a technical reference for QA, regulatory affairs, and validation teams evaluating Validance for use in their environment. It is not legal advice.
Summary¶
| What you owe | What Validance produces |
|---|---|
| Computer-generated, time-stamped, secure audit trail (21 CFR Part 11 §11.10(e)) | Cryptographically linked, fixed-format-timestamped record per execution, attributable to the triggering user, with previous values preserved |
| Audit trail per EudraLex Annex 11 §9, allowing reconstruction of the course of events with previous values not obscured | Same, with per-entity verification so any specific workflow or task history is independently checkable |
| Digital records as objective evidence (FDA CSA 2026 §V.A.6) | System logs, audit trails, file content hashes generated by the software, structured for direct use in assurance records |
| Versioned, hash-identified workflow definition under controlled change (Annex 11 §10) | Content-addressable workflow with SHA-256 definition hash; change is detectable by hash diff |
| Per-run forensic record on demand, without manual reconstruction | Produced as a side effect of execution, retrievable by API at any time |
| ALCOA+ as a structural property of records | See ALCOA+ mapping below |
Detail¶
Audit trail (21 CFR Part 11 §11.10(e))¶
Part 11 §11.10(e) requires "use of secure, computer-generated, time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information."
Validance generates audit records automatically for every workflow event. Each record contains the actor, timestamp, event type, and event-specific details. Records are linked cryptographically; modification is detectable. Audit emission is part of the execution path, so a successful run necessarily has a recorded audit trail. See Audit and evidence.
Audit trail (EudraLex Annex 11 §9)¶
Annex 11 §9 requires that "the system shall be designed to record the identity of operators entering, changing, confirming or deleting data including date and time" and that "audit trails should be available, converted to a generally intelligible form and regularly reviewed".
Validance's audit records are persistent, queryable by API in JSON form, and verifiable. They are designed for QA review and inspection response.
Workflow definition under change control (Annex 11 §10)¶
Annex 11 §10 requires that "any changes to a computerised system including system configurations should only be made in a controlled manner in accordance with a defined procedure".
Validance's content-hash workflow identity makes change detection mechanical: comparing two definitions reduces to comparing two SHA-256 hashes. Combined with version control of the JSON files and the registration step that issues a hash, this provides a substrate for a documented change control procedure.
Digital records over paper (FDA CSA 2026 §V.A.6)¶
The FDA Computer Software Assurance guidance (3 February 2026) recommends "incorporating the use of digital records, such as system logs, audit trails, and other data generated and maintained by the software, as opposed to paper documentation, screenshots, or duplicating results already digitally retained by the software when establishing the record associated with the assurance activities."
Validance's run records, audit trail, lineage queries, and verification API are designed to be used directly as objective evidence in assurance documentation, without manual transcription.
Per-run forensic record¶
For an orchestration engine in a regulated environment, the per-run forensic record is a primary deliverable: workflow definition hash, engine version, container image hashes, file content hashes, lineage, attribution, and timestamps for every execution, retrievable on demand. Validance produces this as a side effect of execution; no manual reconstruction is required.
ALCOA+ mapping¶
ALCOA and ALCOA+ are the data-integrity principles inspectors apply to electronic records. The current FDA, MHRA, WHO, and PIC/S guidance use this vocabulary.
| Principle | How Validance addresses it |
|---|---|
| Attributable | Every audit event records the user or system that caused it; tasks reference credentials by name and the engine resolves them at execution time |
| Legible | Audit records are JSON, human-readable on retrieval, and remain so through the engine's lifetime |
| Contemporaneous | Audit emission is on the execution path; events are recorded at the time they occur, not reconstructed |
| Original (or true copy) | File content hashes preserve the original artefact; the run record references the originals by hash |
| Accurate | Every input and output file's content hash is recorded; any change in content produces a different hash |
| + Complete | Failed runs and aborted runs are captured with their failure mode; records include all events, not just successful ones |
| + Consistent | Audit records carry fixed-format timestamps and chronological ordering |
| + Enduring | Records are persistent in the engine's backing database; archival and retention beyond engine lifetime are operational concerns |
| + Available | All evidence is retrievable by REST API, by run, by workflow, or globally |
What remains your responsibility¶
Validance produces the runtime substrate for compliance evidence. The following remain the customer's responsibility:
- Per-workflow risk assessment and qualification
- Authoring of validation documents (validation plans, qualification protocols, summary reports)
- E-signature governance — Validance integrates with e-signature solutions; the governance procedure is the customer's
- Periodic review, supplier qualification, training, business continuity
- Classification of the workflow's intended use under the relevant predicate rule
These activities are bounded and procedural. Validance reduces the substrate failures that account for most published 483 findings; it does not replace QA.
Source references¶
| Reference | Where to read it |
|---|---|
| 21 CFR Part 11 | eCFR |
| FDA Part 11 — Scope and Application (2003) | FDA |
| FDA Computer Software Assurance for Production and Quality Management System Software (February 2026) | FDA |
| FDA Data Integrity and Compliance With Drug CGMP — Q&A (2018) | FDA |
| EudraLex Volume 4, Annex 11 — Computerised Systems | EU Health |
| ISO 13485:2016 | ISO catalogue (clauses 4.1.6, 7.5.6, 7.6) |
| IEC 62304 | ISO catalogue |
| ICH Q9(R1) — Quality Risk Management | ICH |
| ISPE GAMP 5 (2nd Ed., July 2022) | ISPE |