EvidAIEvidAI
Back to Home
9 min read

21 CFR Part 11 Audit Trail

Immutable, hash-chained audit of every review action with PKCS#7-adjacent signatures

21 CFR Part 11 Audit Trail

Every EvidAI review automatically captures a tamper-evident audit trail that satisfies FDA 21 CFR Part 11 electronic records requirements. Every phase lock, reporting-profile change, reviewer decision, and extraction adjudication is written as an immutable event to the review's append-only chain.

Why This Matters

Regulatory submissions (FDA, EMA, HTA agencies) increasingly require machine-verifiable evidence that the research workflow was not tampered with. PRISMA 2020 gives reviewers a reporting standard, but it does not prove that decisions were made when claimed, by whom, and in the stated sequence. That is what the audit trail provides.

What Gets Captured

Each audit event records:

  • Who — actor user id, name, email, role, and organization
  • When — ISO-8601 timestamp and monotonic sequence number
  • What — structured action (e.g. phase.locked, reporting.profile.selected, extraction.adjudicated)
  • Where — target (phase id, paper id, review id)
  • Before / After — snapshots of the state that changed
  • Why — optional reason or description supplied by the reviewer
  • AI attribution — named agent and action if the change was AI-assisted
  • Device context — user-agent and IP hash captured at request time

Tamper-Evidence via Hash Chain

Every event is linked to its predecessor with a cryptographic hash pointer, and the event's own content hash recomputes deterministically from its payload. The design follows the same principle as a blockchain append log:

  1. Monotonic sequence — events are written with strictly increasing sequence numbers; the storage layer prevents duplicates.
  2. Deterministic hashing — the content hash is computed over a canonical form of the event payload. Any field change, anywhere, changes the hash.
  3. Chain linking — each event references the previous event's content hash. A silent edit anywhere in the chain breaks every subsequent hash and is detectable on verification.

Signature Envelopes

On demand (and automatically in every export bundle), EvidAI generates a signature envelope over a contiguous range of events. The envelope contains:

  • The signer identity (user, role, organization)
  • The subject — either a single event or a chain range
  • A digest over the chain-range hashes
  • The signing timestamp and meaning (e.g. author, reviewer, approver, sealed, export-sealed)

This lets auditors re-verify the chain offline: given the events file and the envelope, they can recompute each hash, walk the chain, and confirm that the signer sealed exactly that range with that identity.

How to Access the Audit Trail

From the SLR Hub

  1. Open any review (/slr).
  2. In the header action row, click Audit Trail (clipboard icon).
  3. A single file downloads containing:
    • The full event chain
    • A chain verification verdict (valid, or broken-at index and reason)
    • The signature envelope over the chain range

From the Export Bundle

Every export bundle includes an audit directory with:

  • A human-readable summary (event count, chain integrity verdict)
  • The full append-only event chain
  • The signature envelope sealed with the export signer

Events That Are Automatically Emitted

  • Phase locked / unlocked — when a review owner toggles a phase lock from the SLR hub.
  • Reporting profile selected — when the reporting standard changes (e.g. PRISMA 2020 → NICE HTA).
  • Extraction adjudicated — when a dual-reviewer conflict is resolved with a rationale.
  • Reviewer note appended — when a reviewer note is created, edited, or tombstoned (the note itself carries its own version chain — see the Reviewer Notes article).

Custom Audit Events

Workflows that need to record a domain-specific event (protocol amendment, outcome re-coding, protocol deviation) can also be appended through EvidAI's audit interface. The same chain rules apply — deterministic hashing, monotonic sequence, signature envelope on export — so custom events are first-class members of the verifiable trail.

Verifying a Chain Offline

Given the downloaded audit file:

  1. Sort events ascending by sequence.
  2. For each event, recompute the canonical hash of its payload and compare against the recorded content hash.
  3. For each non-first event, confirm its previous-hash pointer matches the prior event's content hash.
  4. Re-hash the envelope subject and confirm it matches the envelope's digest.

If every check passes, the chain is untampered; if any check fails, the exact index and reason are reported.

Regulatory Alignment

Requirement (21 CFR 11.10)How EvidAI meets it
(a) Validation of systemsDeterministic hash functions + unit-tested chain engine
(b) Ability to generate accurate copiesFull event chain in every export bundle
(c) Protection of recordsAppend-only storage with no in-place edit or delete
(d) Limited accessReview-scoped authentication on every audit surface
(e) Use of time-stamped audit trailsMonotonic sequence + ISO-8601 timestamps
(g) Authority checksRole-based access enforcement on every emitting action
(h) Device checksCaptured user-agent + IP hash
(k) Documentation controlsSignature envelope ties signer identity to chain range

Best Practices

  • Lock phases as soon as you are ready to freeze them. The audit event becomes the legal record that the phase closed on that date with that actor.
  • Download the audit trail at every formal milestone (protocol freeze, screening closure, manuscript submission). Attach it to your trial master file or dossier.
  • Use reviewer notes for reasoning — they have their own version chain and carry the reviewer's deliberation, not just the action. See the Reviewer Notes article.
Did this article help?
Still stuck?